Malware Analysis Report

2024-11-30 22:15

Sample ID 241118-xg8gzstbkj
Target 85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
SHA256 85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c

Threat Level: Known bad

The file 85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Colibri Loader

Process spawned unexpected child process

UAC bypass

Dcrat family

Colibri family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 18:50

Reported

2024-11-18 18:52

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\audiodg.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\Music\audiodg.exe
PID 868 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\Music\audiodg.exe
PID 868 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\Music\audiodg.exe
PID 1996 wrote to memory of 2664 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 2664 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 2664 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 2784 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 2784 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 2784 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 2664 wrote to memory of 1264 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe
PID 2664 wrote to memory of 1264 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe
PID 2664 wrote to memory of 1264 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe
PID 1264 wrote to memory of 864 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1264 wrote to memory of 864 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1264 wrote to memory of 864 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1264 wrote to memory of 272 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1264 wrote to memory of 272 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1264 wrote to memory of 272 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 864 wrote to memory of 3032 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe
PID 864 wrote to memory of 3032 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe
PID 864 wrote to memory of 3032 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe
PID 3032 wrote to memory of 1152 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 1152 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 1152 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 1896 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 1896 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 1896 N/A C:\Users\Admin\Music\audiodg.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 2520 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\audiodg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe

"C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Music\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\Music\audiodg.exe

"C:\Users\Admin\Music\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf501bc-6182-409b-b482-3e8138246bd7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f2d856c-ed51-4db4-9464-5db117411231.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b07ed07a-8be5-4387-a480-86c88dfe57a6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcf68c1-fb20-4945-903b-71b02fefe21c.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31d6af39-eb31-4df4-9694-b81ce2bfc5d3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34c642f6-8670-4449-bbf2-5892ca374b3b.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c54e0ff6-3d1c-4b00-bf33-e30ffb20b6e1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e976ed-7825-44d8-9b12-d92d2427461f.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8563f3cc-d209-4900-b099-a38d76781978.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7692f5-7521-4a1f-a9b5-f67f189a1e74.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc236e47-79ae-4f89-bc12-a1dc195f5255.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b30836-b92b-439d-ab74-afbc38057618.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4e9d83b-95c6-403c-95e4-44e71b3cbc19.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f599ba15-bdac-4dac-8782-cff7b69fa393.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\809edc55-320b-4041-8947-4b2d087db93f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9598b5cb-ea80-45f5-9866-fee5509f31da.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c30eb80-b06f-41a7-a697-ecf383ffd530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e787ea-24e9-4f20-a884-ff89d5a9cd41.vbs"

C:\Users\Admin\Music\audiodg.exe

C:\Users\Admin\Music\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6a74be9-1091-4aa2-831e-bf3f99145d9e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2fdf1f-9f86-4706-b7e2-2d3d9652150e.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/868-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

memory/868-1-0x0000000000220000-0x0000000000714000-memory.dmp

memory/868-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

memory/868-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp

memory/868-4-0x0000000000920000-0x000000000093C000-memory.dmp

memory/868-5-0x0000000000940000-0x0000000000948000-memory.dmp

memory/868-6-0x0000000000950000-0x0000000000960000-memory.dmp

memory/868-7-0x0000000000A60000-0x0000000000A76000-memory.dmp

memory/868-8-0x0000000002420000-0x0000000002430000-memory.dmp

memory/868-9-0x0000000002430000-0x000000000243A000-memory.dmp

memory/868-10-0x0000000002440000-0x0000000002452000-memory.dmp

memory/868-11-0x0000000002450000-0x000000000245A000-memory.dmp

memory/868-12-0x0000000002460000-0x000000000246E000-memory.dmp

memory/868-13-0x0000000002470000-0x000000000247E000-memory.dmp

memory/868-14-0x0000000002500000-0x0000000002508000-memory.dmp

memory/868-15-0x0000000002510000-0x0000000002518000-memory.dmp

memory/868-16-0x000000001AAB0000-0x000000001AABC000-memory.dmp

C:\Users\Admin\Music\audiodg.exe

MD5 5be41c7ee0a83c4e3be16eec0584ebf0
SHA1 5dcd33a9b54d087cf612da502b9f3ce055aee5a0
SHA256 85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c
SHA512 24f106fc859a9fc70c4715e27100dbb4b4eafbe5737d4e17ed51736aeee2e7a6c0dc4928b919104e7ea3150eca2aacd21257c547bdf111c2c872840b37621a85

memory/2440-57-0x000000001B670000-0x000000001B952000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7baf3fcf88531306c0d7497d4bf87a6a
SHA1 af2b511f665c855767f4baf719b0854765da913d
SHA256 4a6b6390cf431e2263024bb463c37bd1adecaec572339c495b16908033491a2d
SHA512 2f406ff3f795c3764a6a3ec3322c06488f5957bd8fa3328816e2b394f064915c963a9b290c1dcfd170e6ab8c59fdfd0ac5f49d4ee537ef2e791111c2e319898c

memory/1996-83-0x0000000001390000-0x0000000001884000-memory.dmp

memory/2624-64-0x0000000002B20000-0x0000000002B28000-memory.dmp

memory/868-98-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

memory/1008-109-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2984-105-0x000000001B740000-0x000000001BA22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5f2d856c-ed51-4db4-9464-5db117411231.vbs

MD5 9df82cca893f0c0a4532025aebf18a02
SHA1 631030daba7f46aec8770f4bc72771be4e649bba
SHA256 a6808536d9aa1686346176188efde236c956c39eb0e69ae10f47a73e7005497f
SHA512 d56591e357529d1f44af6071e209c4e2cc5a785ada1143df9431f5b0ebcdf72e7c0c02a6f20528aa90b318c2d8cbad03d897c659dea52e7800ce25cde34b89d3

C:\Users\Admin\AppData\Local\Temp\2bf501bc-6182-409b-b482-3e8138246bd7.vbs

MD5 549a1494e4ca016d20ee3abea19fa666
SHA1 760aff0a6d0b4c0e54b112f0837e8e77744ff523
SHA256 463f5a79243e0b5e1f588bba2cb638e6a1d662329ed4e380a0e125f0c245412d
SHA512 e450d880592619d137334c115ac70765cdf43aff86cfc9e3610f1ada60c3c3ef86f517f34de6dca4674189fe555c55cb8724297d7805149692f716f51c9053f0

C:\Users\Admin\AppData\Local\Temp\tmpFFC2.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/1264-123-0x0000000000660000-0x0000000000672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b07ed07a-8be5-4387-a480-86c88dfe57a6.vbs

MD5 c075dbfeaad045618f0774f0d5d89d54
SHA1 e0b986ae1ac6d579bcd32bc8f38a237084ba92e7
SHA256 dd6ebc233ba2b8e25dac9505c00a8f09c36f394de6d50968fc305341cf3575e6
SHA512 16530365c7b28894beab72965f1a4845075cce16167f6b3116e71a63bb5c98ba0b8812dd8157a0e00075e30d3e1c5e039566c2d8c3b1c7276e6f54755f71cfe3

C:\Users\Admin\AppData\Local\Temp\31d6af39-eb31-4df4-9694-b81ce2bfc5d3.vbs

MD5 0e6afbcfe37e1a9ccd3b7cea8f2e0278
SHA1 c38430afab05aa4e4dc9c42872e61a32a08960c3
SHA256 1983306136819ec342fdea19544d5252194ee688e64abd8b1a0d38bcc8d70f41
SHA512 e3e4213b8903b8fabef7e1700a8d8ff6e2c459686b1a4ee3688abb295fa428488ba47753558ea5ef330d6ed99e4d30fc38476574f1435313a0057143e0dd1b63

C:\Users\Admin\AppData\Local\Temp\c54e0ff6-3d1c-4b00-bf33-e30ffb20b6e1.vbs

MD5 e97ecdd5885df288698cc172dea259dd
SHA1 920048d80db47556db73794546b1304c70fc7878
SHA256 98a4cdcdb4091096abd1d566f69d0aabbe9566912fc34f606b7d39ddd442cb8b
SHA512 defa51ae0972f8be189bfbbe414537b235f3312f9b983c7de843a807f88b10f3c2fec78c6d0d227bd0d337287698dc1b597cd2792445fddebd40bd43f95e7dd8

C:\Users\Admin\AppData\Local\Temp\8563f3cc-d209-4900-b099-a38d76781978.vbs

MD5 8e059d02f2ccc3d06fc19a1af5b7049d
SHA1 d799bb38811a1feacc419bbd44e70e6f8ad5b375
SHA256 cf38239e21cf4b2fb5d9b175558883217f1eb6c8b2e8c0e110f501fd2523a148
SHA512 eefc826261c5c714591ec7221ef490d69624ef85e99cb4cedf6e3196092f3e420aa377223f7ca862df365497d5b2581cdb5666ad771bef426ad93e8ea1057143

C:\Users\Admin\AppData\Local\Temp\fc236e47-79ae-4f89-bc12-a1dc195f5255.vbs

MD5 a9fdd1d201da57a3c205a3ec943a1fa8
SHA1 d1bfbee22ae217e0c56aca3a65748e2503c9ad98
SHA256 be28e7e57e85fb67f8477be59709e2ef423a263f1f3d0b434623ab6f873362d8
SHA512 65c94f74f15b2f79e297873fa4b6e1d6b3156aaf1a88b447986d02c29a704f842146b9c6441dbec049ad8abb821eeb67fa8dc55f82ca10c17159fdd2f3f7f398

C:\Users\Admin\AppData\Local\Temp\a4e9d83b-95c6-403c-95e4-44e71b3cbc19.vbs

MD5 4fa796a2a868a1fb924a6900fcd19c5b
SHA1 5433e09d698ed84408e1aec06ddceee0ed7c9bc6
SHA256 97e2e292f9fa35912867919ba4d5f5479b924a4bda155e859e25d7ec0a569971
SHA512 923fae45abb7381133aaa1e1469d4c841378153757f2ad15f2ab75caa735a993d25aabeccbfc8c39ca4c9ca634bef2d7bb7c92e94bd6eba6777a635e42ebf776

C:\Users\Admin\AppData\Local\Temp\809edc55-320b-4041-8947-4b2d087db93f.vbs

MD5 ae0c3b2842873370bc3b11c16fcc540d
SHA1 04c8d9780239a90235140908c453342cb7de7be7
SHA256 9c73e45ef42422c157f78f5b6f278b3fead928e122848cb2c0cff21f9a68b1e2
SHA512 a82b151ef757ae7d601996e712938fb278e4a6d1dffec9e24bec9f5f6e8f1ea75adb2806d4cb455bd91434c630173164940fca913dbfd84a81ca186f70e762e2

C:\Users\Admin\AppData\Local\Temp\0c30eb80-b06f-41a7-a697-ecf383ffd530.vbs

MD5 f6b21dc1364ab807d99d7c9f0f3db444
SHA1 5a78858653e04b0e7aea95f1b4bc30d5b8501e1b
SHA256 59b7fbbfb9213412d980008de58f298bcac4cf1745e63468c2b2aeb3f24f0b08
SHA512 618460d9d253f004da63a038e9882481b4debcfeec5d320def3ab6c08b4fcf4699bfbd508413522f0d57f060c296c3a029dbfa15b26a6e508bc298430f00321a

C:\Users\Admin\AppData\Local\Temp\c6a74be9-1091-4aa2-831e-bf3f99145d9e.vbs

MD5 f7dbd6c288c33e69e32ecfb82195caac
SHA1 50842da7f0bf8f87e6ab8c1b80c5f512cb556037
SHA256 bbc765006404ed15676548cbd0b828585e5938519cedc5f2c9ba57999d61d679
SHA512 29578598989fa0121c92e4ab5b3894402dbbc1030c0fea2689e7d7c5c887e5767f766cfffe33674b119c992ba084f9e7a7b9ef76ae807a7c557d1d5b6e943d2b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 18:50

Reported

2024-11-18 18:52

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\RCXCAA0.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBACA.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXC88C.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXBCEE.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXB8A6.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\RCXC5FB.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\Templates\6c5cb502ddf92b C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Windows\PLA\Templates\RCXC155.tmp C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File opened for modification C:\Windows\PLA\Templates\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
File created C:\Windows\PLA\Templates\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 1776 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 1776 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 4588 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe
PID 1776 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\cmd.exe
PID 1776 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe C:\Windows\System32\cmd.exe
PID 4732 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4732 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4732 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 4732 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 3268 wrote to memory of 4992 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3268 wrote to memory of 4992 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3268 wrote to memory of 632 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3268 wrote to memory of 632 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3268 wrote to memory of 3640 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3268 wrote to memory of 3640 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3268 wrote to memory of 3640 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 3640 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe
PID 4992 wrote to memory of 3700 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 4992 wrote to memory of 3700 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 3700 wrote to memory of 3152 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 3152 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 3180 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 3180 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 3536 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe
PID 3700 wrote to memory of 3536 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe
PID 3700 wrote to memory of 3536 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe
PID 3536 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe
PID 3536 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe
PID 3536 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe

"C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Music\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN8" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Templates\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN8" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Templates\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\WDF\SearchApp.exe'" /f

C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WDF\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\WDF\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5l00fIEm30.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69281d43-f00a-4d1a-bcd6-5273ee616ddd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e68ed2-c0b6-44d0-93a7-2d6cfa648ef1.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2b1f38-b9cc-42db-8aa7-6501030d949e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff630d2f-63da-4298-a2be-67cd75b546b5.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp28E0.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6040a8a7-0c39-4481-8081-cd5f3bc0700f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43c67c50-b625-44f1-9f39-5b1ef89b1d00.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5AEC.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d840a15-9ccb-4c57-ace6-6f3018980d34.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e4d676-3e88-42c8-b27c-67ed22316ead.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7526c449-8b6a-49a4-a3c6-05e4ca6b56b2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abcb1979-b07e-4824-9629-30e7f22b4483.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f3223f1-bd1f-4dd5-81e5-816f08ac6553.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc48c5d4-faae-4af6-804a-6ba118366c28.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDE84.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b86bd975-9b4e-4539-acb5-e858a2d14895.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\640bf628-6103-4729-b811-b763f6fb7216.vbs"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0a7d85e-132e-491e-91e9-4d34db212d12.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaa59b11-03d0-4239-9774-87390e397af4.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2EB7.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06d5704f-1a05-4c34-98ec-fb63a5d2aede.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\076f2f3a-77d5-41ed-884e-99b1ac70fb4f.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C32.tmp.exe"

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39abe493-83ca-4e7f-a990-f2c5ff64e8f7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508b0b54-ce83-422a-964b-a6be83d3e4d0.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp693F.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/1776-0-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

memory/1776-1-0x0000000000C10000-0x0000000001104000-memory.dmp

memory/1776-2-0x000000001BF20000-0x000000001C04E000-memory.dmp

memory/1776-3-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

memory/1776-4-0x0000000003220000-0x000000000323C000-memory.dmp

memory/1776-7-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/1776-8-0x00000000032B0000-0x00000000032C6000-memory.dmp

memory/1776-6-0x0000000003290000-0x0000000003298000-memory.dmp

memory/1776-5-0x00000000032E0000-0x0000000003330000-memory.dmp

memory/1776-9-0x00000000032D0000-0x00000000032E0000-memory.dmp

memory/1776-10-0x000000001C650000-0x000000001C65A000-memory.dmp

memory/1776-11-0x000000001C660000-0x000000001C672000-memory.dmp

memory/1776-12-0x000000001CBA0000-0x000000001D0C8000-memory.dmp

memory/1776-13-0x000000001C670000-0x000000001C67A000-memory.dmp

memory/1776-15-0x000000001C690000-0x000000001C69E000-memory.dmp

memory/1776-14-0x000000001C680000-0x000000001C68E000-memory.dmp

memory/1776-16-0x000000001C6A0000-0x000000001C6A8000-memory.dmp

memory/1776-17-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

memory/1776-18-0x000000001C6C0000-0x000000001C6CC000-memory.dmp

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe

MD5 5be41c7ee0a83c4e3be16eec0584ebf0
SHA1 5dcd33a9b54d087cf612da502b9f3ce055aee5a0
SHA256 85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c
SHA512 24f106fc859a9fc70c4715e27100dbb4b4eafbe5737d4e17ed51736aeee2e7a6c0dc4928b919104e7ea3150eca2aacd21257c547bdf111c2c872840b37621a85

C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/316-53-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Windows\PLA\Templates\RCXC155.tmp

MD5 f7a894d810b824c2c05fcdd7e6f6571b
SHA1 8670728981d79b49fc5bcc575198a127804eddd7
SHA256 03156df2b4284779dcc2011a9fe735f1ea654e56c02499daf089da24bf6cecb8
SHA512 f305f69d65c17f518be7a065887a9d244e48e95a397af76d102a4c319b5b596b818d48e078c53ca4aa1d7e2a03d1bb04c6240e1b5bf9ca1180b4b4abe427b836

memory/1776-120-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

memory/1776-134-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

memory/1776-148-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

memory/3628-154-0x0000016C42C50000-0x0000016C42C72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_af30jw1b.hl4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\5l00fIEm30.bat

MD5 49668c461c05e6b3ef219741ff9c8e7c
SHA1 88c56dff69ac26caec41108e1d1bdbc7f76c18b0
SHA256 dbf5ebfc31ff44833973a1e0a86707c16715a750b38508cc6f1f501db468dc2e
SHA512 4990b3492aa382d94780e4b224653f16695feca1c29a00cdee19839557d644ef4e60fe35ef35720c87a73e554a087861191a3972faab7b3a1c34df58960cc25c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Temp\69281d43-f00a-4d1a-bcd6-5273ee616ddd.vbs

MD5 d8cd6d30e98a3558894c2aa54022b784
SHA1 6d8179e13aaccda325478c031ae2fd6049565356
SHA256 14e58a58143abfc7ab4e562ab642c8b70cab19b85b998a0f428ff1f07a8d5f1d
SHA512 1dd86c927e0bec493868c38d3122b6ace3c8ddd39454babdf7a46206c5f6355737926b665e15ca032ddb1b6a5ed9a1d1bce211ace06a94e69b342aede7e047ed

C:\Users\Admin\AppData\Local\Temp\68e68ed2-c0b6-44d0-93a7-2d6cfa648ef1.vbs

MD5 521f75cc5b714668a3876ec2eb1100a0
SHA1 623ad4cf56ac71cc415552d1050395fd20831619
SHA256 d9882cbb6ccad1ca83c02206ca24e50546e9e174de7ce3ada8f1cfd5251076f8
SHA512 728289e57f619fb465aa9d60779dd80813eddfd29db78b793af0ff4882e53588344d98436e055aba3adc20bba857180053c2d86e16a70fd4586265b4bf9a9e4b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\4f2b1f38-b9cc-42db-8aa7-6501030d949e.vbs

MD5 9437667e953450aa897ac69baaf5f488
SHA1 6372f7b2801f496b9de90bd0767aea9aaf2fd142
SHA256 bda6dd27a4d62765dbec1433b3ec772400d401c7f9b3809455618c9dbef62132
SHA512 30c43c3fb3f478cb977daf66e1a20c417a288fc4fc107cfd675dd9b4aa35a5975fdff2eba8ccf3e83a9c6705589de5d1ee3cea5d2d27e564e6ec97eacb2c2a77

C:\Users\Admin\AppData\Local\Temp\6040a8a7-0c39-4481-8081-cd5f3bc0700f.vbs

MD5 289e44a4d7b509dc7429fb40d0c7fa40
SHA1 baf614707cd862d6e351e354791eed37feac6f86
SHA256 99b3667e7bec833ac3e80a0542584fd2a5b80304a3bdf7e7c0b21d10e2b4155d
SHA512 049a3e3ec5e371602d3d0ca8a354b0f415fbd81dc215376c9c77b2aef899ce2514bcff3210aba17dcdfd7b6931eda519cd3b0f6506db6e62d7ee19c9213594f3

C:\Users\Admin\AppData\Local\Temp\2d840a15-9ccb-4c57-ace6-6f3018980d34.vbs

MD5 0ff7406cc2c6070808ab910ec738f229
SHA1 05f2af3a0b9a955f2625774f1459d4797b95f957
SHA256 db47217bbb30888953fa49c357db30b0f55ae3e96b02d3aa7bad81b34fb9ff58
SHA512 f4422030edcecf610421c2bcdbbb94367175a303ae062f7f474407c5ceabc94b89218b550c320da37d19aeb672d4fc33cb183ce0d64b9401b482e132a09d5d5c

C:\Users\Admin\AppData\Local\Temp\7526c449-8b6a-49a4-a3c6-05e4ca6b56b2.vbs

MD5 97688d325f882392777e5db31b7698c7
SHA1 78196dfc5ea9c4279b3a5a156933d778ca19610f
SHA256 fd1a12b5977085f4492359671bdf82cd6837dc5c0959f0b8b842d26770149ef9
SHA512 d8a6b508a2fae2494c3bceae0bf1fdd803a47fdf1297ba3c63da8a8ee14ba6b6d6eedf1094c7c83f225eab6156078c257da90725701f9c1362d38698f9fa0c4a

C:\Users\Admin\AppData\Local\Temp\8f3223f1-bd1f-4dd5-81e5-816f08ac6553.vbs

MD5 9ce0eb603330fe977cac2e55f0170ae4
SHA1 7ce849d8a5339c4c38d2bd94a573c718b7d1a361
SHA256 a11ed38766befad339bd44855a241dc8a4a988de4d2cac4a1c4d8a00f581ae30
SHA512 771cb884a3d8e368b0ba7409be3fd55f1cee4a92c4fc853603576d1e4844ed619ef75889e55be27a795af26225517e4bb5cd75f265e4c0bed341bc6a9a433002

C:\Users\Admin\AppData\Local\Temp\b86bd975-9b4e-4539-acb5-e858a2d14895.vbs

MD5 95fbec9e0a6f367646c51af4f7bfc1a8
SHA1 6433bad83fb9ae41a658f35afa8bcf4b4fca4098
SHA256 242b13ae47b72d9bff62592a246a2c747ca06bde1320fcce7dd757c60e9b141c
SHA512 0d81a2f0d5d652690f37d9e927fc0242276319c094efe4521dbe80904900b28bc73ecb1fe2e1b48ec66e2d24f85fb301ea5d46ebc180faadf6561415fd9d024d