Malware Analysis Report

2024-12-07 14:18

Sample ID 241120-eatfdavmfp
Target ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA256 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
Tags
colibri dcrat build1 discovery evasion execution infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847

Threat Level: Known bad

The file ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847 was found to be: Known bad.

Malicious Activity Summary

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Dcrat family

Colibri Loader

DcRat

Colibri family

Process spawned unexpected child process

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 03:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 03:44

Reported

2024-11-20 03:47

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2100 set thread context of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2540 set thread context of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 1296 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe
PID 4504 set thread context of 412 N/A C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe
PID 4100 set thread context of 3284 N/A C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe
PID 4552 set thread context of 4936 N/A C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe
PID 3960 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe
PID 1924 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe
PID 2220 set thread context of 1680 N/A C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe
PID 3596 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe
PID 3584 set thread context of 1092 N/A C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe
PID 4388 set thread context of 4444 N/A C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCXDF19.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXFDE9.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXE835.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppReadiness\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\twain_32\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\DigitalLocker\en-US\RCXDCF5.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\AppReadiness\RCXF0F4.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\Panther\setup.exe\sihost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\DigitalLocker\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\Panther\setup.exe\sihost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\DigitalLocker\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\Panther\setup.exe\RCX26F.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\DigitalLocker\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\AppReadiness\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\AppReadiness\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\twain_32\RCXF9E0.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\twain_32\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\Panther\setup.exe\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\twain_32\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 3124 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 3124 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 2100 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe
PID 3124 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\cmd.exe
PID 3124 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\cmd.exe
PID 1464 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1464 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1464 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 1464 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 4540 wrote to memory of 4980 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4540 wrote to memory of 4980 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4540 wrote to memory of 3124 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4540 wrote to memory of 3124 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 4540 wrote to memory of 2540 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 4540 wrote to memory of 2540 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 4540 wrote to memory of 2540 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 2540 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe
PID 4980 wrote to memory of 1416 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 4980 wrote to memory of 1416 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 1416 wrote to memory of 3288 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1416 wrote to memory of 3288 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1416 wrote to memory of 4432 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1416 wrote to memory of 4432 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1416 wrote to memory of 1296 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe
PID 1416 wrote to memory of 1296 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe
PID 1416 wrote to memory of 1296 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe
PID 1296 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe
PID 1296 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe
PID 1296 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\unsecapp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppReadiness\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847c" /sc MINUTE /mo 11 /tr "'C:\Users\Public\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847" /sc ONLOGON /tr "'C:\Users\Public\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847c" /sc MINUTE /mo 12 /tr "'C:\Users\Public\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\sihost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lxf9wchCSO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\unsecapp.exe

"C:\Recovery\WindowsRE\unsecapp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65199b8-397c-4e65-b712-cf24f256e850.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13c60806-695e-4a31-bb79-043768b5fa78.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2A38.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b572a6-87e6-4fd5-818d-a505689aa21e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637369a5-87d5-4a08-9f1f-e92ea4e15d23.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7da5fe75-dbb8-43d4-b418-74fd3ffc0680.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74790478-f7f7-4025-b7c0-d3462634cd9b.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7932.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e5d1341-0a98-4bc9-ae6f-6aaba0c4e036.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\370413a4-7697-4ec9-980d-b0f1d3066369.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpADA0.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\711aee7e-fd80-4bd9-aed9-751052d44d03.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1ed3fe1-ed89-4a72-82a4-6be11017efe8.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25391721-f40f-4bd4-aa30-13a36a62ef54.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7504b6e-d583-45d5-ae3e-bb57781b3bc2.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7c821ce-c680-4881-8820-8e103c96d1bd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b6d2e95-04fc-443b-b3a6-6be727b0a5ab.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c835c8a0-4bca-4b60-86d9-c89901e6a12e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\557b2f7c-b9bb-4ab3-b5b6-3ecd8cf8ada7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4be54d23-1bb1-42d7-a1ac-0cdd4ea4d44c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d07034-043a-49ff-84ef-3b1eb18278b7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7E1F.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22d28155-8ae3-4411-bf81-9e7f57488e5d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a93feabb-a2fd-469b-8f5c-63e75f5bcf41.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAEE4.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b04c681-5bab-4137-82da-e3de95b6ac4d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1604f0-5cef-4d27-9a59-48b99c4aa6c9.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE380.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c831b0ce-1adb-4eb2-bfb2-d17afcdd56b8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0e5dc94-62ec-4416-9b41-7ed40ad474f4.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp10B.tmp.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp

Files

memory/3124-0-0x00007FFC37523000-0x00007FFC37525000-memory.dmp

memory/3124-1-0x0000000000600000-0x0000000000AF4000-memory.dmp

memory/3124-2-0x00007FFC37520000-0x00007FFC37FE1000-memory.dmp

memory/3124-3-0x000000001B980000-0x000000001BAAE000-memory.dmp

memory/3124-4-0x0000000002C30000-0x0000000002C4C000-memory.dmp

memory/3124-5-0x000000001B910000-0x000000001B960000-memory.dmp

memory/3124-8-0x0000000002C80000-0x0000000002C96000-memory.dmp

memory/3124-9-0x0000000002C60000-0x0000000002C70000-memory.dmp

memory/3124-7-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/3124-6-0x0000000001430000-0x0000000001438000-memory.dmp

memory/3124-10-0x0000000002CA0000-0x0000000002CAA000-memory.dmp

memory/3124-11-0x0000000002DC0000-0x0000000002DD2000-memory.dmp

memory/3124-12-0x000000001C5E0000-0x000000001CB08000-memory.dmp

memory/3124-15-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

memory/3124-14-0x000000001B8C0000-0x000000001B8CE000-memory.dmp

memory/3124-13-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

memory/3124-17-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

memory/3124-18-0x000000001B900000-0x000000001B90C000-memory.dmp

memory/3124-16-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

C:\Recovery\WindowsRE\lsass.exe

MD5 4e3ae6b4f8ea1c5d2fb3a8bc008e2fff
SHA1 22329e6ce220cce52f7dde6e03c082d31f27bbae
SHA256 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA512 6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655

C:\Users\Admin\AppData\Local\Temp\tmpDB20.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/4340-76-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3124-145-0x00007FFC37523000-0x00007FFC37525000-memory.dmp

C:\Windows\AppReadiness\dwm.exe

MD5 19f41792216b324f11fa585955600267
SHA1 4bd9f6c4c1cb007a2d4ec7a830110aa2b09acd3a
SHA256 befdb6687b7c3c98d7bd885ea7060e559b84467c1e0ff48957093283702f0ee8
SHA512 29158a079509c32be4fd004424ae736c06c189ec610f4727b5e31eeea22a4cac6b3865d321d7f314b186f933d585a29cf02f107ef6f19a3c15f1eabe0334bea9

memory/3124-160-0x00007FFC37520000-0x00007FFC37FE1000-memory.dmp

C:\Windows\Panther\setup.exe\sihost.exe

MD5 7ef00a5f440041b36acf03ff3ca84219
SHA1 4009dfcb2ae782b5666939ec3c806f3e39fb801e
SHA256 b5a9d29bf55b92f67c0b1fce41eb53adeae952aa64cd587415be2e224adbe772
SHA512 f39e9f5bfa0b0a16d94eecbf7bf55abfa763e2202a1dca22e4a082aca9eb0a694332ff58f9b8301d8a59c4b4e9683196ae03a00823a974442dbd3f1eca9207ae

memory/3124-202-0x00007FFC37520000-0x00007FFC37FE1000-memory.dmp

memory/3964-213-0x000001DB66470000-0x000001DB66492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sextj1ut.cbq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\Lxf9wchCSO.bat

MD5 eb7af2fb788f122e1fc0240402728980
SHA1 4ce95b6230934c2fb1c7d5c89e90b80b18a96759
SHA256 d96d1aff154c9aede36a945e88359e5d1dcc2551f4983d65e5eb88649c38be4d
SHA512 27b32bfc131273fd29178fa5ffa0da82859ba5df5af52f09699a50817d1fb25e64453c86ba0d2c1f0e900a4e6cec8556a98b30fd9cb9dd69110b18eb47630574

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Temp\f65199b8-397c-4e65-b712-cf24f256e850.vbs

MD5 6263af8201ad16b7c3b82e4804504520
SHA1 7e991c6e4c30c9923660d070fe62443c36e61030
SHA256 a47db062d31897a71c6988d2e970f26c169cbc2ca2c8b0dcc1174a8b9fec2c70
SHA512 c805b69bc9f7b14c1229931b461556937df48a3a30f510cea0989fd4f68a602a0e152f970099e5a9a3d761ad9c0f6c4c79d102cb8c908445b54c6146e6870acf

C:\Users\Admin\AppData\Local\Temp\13c60806-695e-4a31-bb79-043768b5fa78.vbs

MD5 f027db7f24083d597442ba7341383c31
SHA1 390385373b7d4b2767c93f5cbf63a76a7f6ed193
SHA256 c824ec48e94cc66b6bf834e4d4026bf1df404020df24912ff39ef758b5cc8825
SHA512 a785aae3f72f1dcb4d2706d8ebfbf1f1b528329cf8842f2ab3457047432b36e93469651ac51688fc66b62dd793bfab3a9c74432d216b1ed385d068d290e00ce3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/1416-352-0x000000001BDA0000-0x000000001BDB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0b572a6-87e6-4fd5-818d-a505689aa21e.vbs

MD5 8f20052ad5a20b6cdb1381adbd47dabd
SHA1 ced98a28ed59856a553e60a56c98fb8e5c2d2a03
SHA256 fb53d9d506f84801674a75d41b1f7ca9d7eb3ae74b2b0468ff460fef3f23e773
SHA512 9b6d56a83a8a40b18707b32177305973915bd8a319a9f74a9b8a729013973be0502eed2c7954c25766aad7d7ff78d63c6be922a684aab7e9841f14929e075bcf

C:\Users\Admin\AppData\Local\Temp\7da5fe75-dbb8-43d4-b418-74fd3ffc0680.vbs

MD5 70c9bbfee3a8d78899bd488ee02c6b0f
SHA1 114dc775b50fa71cc3ee131dbe43c56b8a3c8aa8
SHA256 697f81f8b83c113e584c7d4368dddecb95144e01627736cba463270ea04cca8c
SHA512 503738024698e1027aff31046f2f9f30e974f5897964bfe3fafc6e679f2c6b1a18ce2789f18d6e408a3a13db31d91170d30b0e1a06d10eef5ee2d4ab82cedef0

C:\Users\Admin\AppData\Local\Temp\4e5d1341-0a98-4bc9-ae6f-6aaba0c4e036.vbs

MD5 26d1df124a7bc72709048baa924cb810
SHA1 8839d96d6d44a8862d7d4f1d0a9e14957add816c
SHA256 71b5ce88119569a19f5a9e1b6286a9d34d646083ef318f274fccf09183ffb6d3
SHA512 ba87cf75cca8d440bbf3da31c19f3befbc8b229a4c55f5fdd5fe32c19872c47c76a9e3e72f8abeacb5b3646b624cb863b0e8bd7e9984ca1f477293124fbce2fd

C:\Users\Admin\AppData\Local\Temp\711aee7e-fd80-4bd9-aed9-751052d44d03.vbs

MD5 975c132a22ba9ebafc0a56dcd995c27b
SHA1 b9bcf4fecdffb537248ee1b06f7b5175950abe35
SHA256 53081a5cec72c2b22593543bd7fdf1fce4eded37c7df46b1dd3098f661bc0252
SHA512 2ed260d3ed94e3480467caeed4c1de9217d8c2761c80df62c8543a19914b7908c8180c8e9c129a711077e3cc35d7a589e95bcfa9fee4b79d2fea97722599e0fd

C:\Users\Admin\AppData\Local\Temp\25391721-f40f-4bd4-aa30-13a36a62ef54.vbs

MD5 355fe790119c7311bbd3af9df475d13f
SHA1 4ebcc78b66f5be3f4b8804d04999045440dc54b6
SHA256 51cd8dec2cbb77152e64373244ec45798b4dd4e7b0f429a85e37b56ad591e912
SHA512 f90b15063a75d6ac4ee65e109f15ed97095961ad288599fb871d44fa58797d0ad8dd69678b4a31674815f8555af6bb203a83bca7eac39eddf2d68894dfa05ba2

C:\Users\Admin\AppData\Local\Temp\a7c821ce-c680-4881-8820-8e103c96d1bd.vbs

MD5 c19ab296938571e344a69f0f55d7f235
SHA1 d9fdb0c2c741ae4d5da47a1b986e1c42712cc69c
SHA256 3813ec586578e231413fbde725e6ab4d7453b4a98e94b2660860efe45eba3994
SHA512 dfb1db855d48a03fbd86b3e9188ae23f29f5e0e748ad2b6af29ffea779de0bad6af8907c939f77e8b6faa048b4d4a36d528d2a99a7a8cbe8f66edcfa18e260a4

memory/2328-481-0x000000001C4A0000-0x000000001C4B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c835c8a0-4bca-4b60-86d9-c89901e6a12e.vbs

MD5 75a21f84746b5f9b59a7b43fc9e1a06a
SHA1 2da03fc364f382c39544077f52642403efd25509
SHA256 be8de179ae9bdb08335f3aa5f7066e9830e491578816cf075afd1b4e077d0cec
SHA512 b9fc581c95b0093268db49b7dce5770dab89311ddb30e3fd398b46d23fe1421425ec95f9ca81fb896992036ff25bb491aff7f0c11942cd42319ab92c37f1ed76

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 03:44

Reported

2024-11-20 03:47

Platform

win7-20240903-en

Max time kernel

148s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\RCXD173.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCXD3B5.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Windows Media Player\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Windows Media Player\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Windows Media Player\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 2356 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 2356 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 2400 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 2400 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 1772 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 2652 wrote to memory of 1772 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 2652 wrote to memory of 1772 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 1772 wrote to memory of 1568 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1772 wrote to memory of 1568 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1772 wrote to memory of 1568 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1772 wrote to memory of 2488 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1772 wrote to memory of 2488 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1772 wrote to memory of 2488 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1568 wrote to memory of 1272 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 1568 wrote to memory of 1272 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 1568 wrote to memory of 1272 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe
PID 1272 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 1272 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe C:\Windows\System32\WScript.exe
PID 3012 wrote to memory of 1216 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed063ad6-4f2e-4072-bbb8-5f6fbd6bb9db.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83633363-49e1-4e88-b057-2f89bcd75f4d.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\947d8181-c07a-444d-b5a4-fc1525bb5127.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df531624-66dd-44ac-8efa-062372ce9ced.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4425e2-9e96-457c-ad60-10f1ec4afd3a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ae294b-b16f-49d7-9edc-0e1fa6079cac.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be5f20e8-0050-4bb6-b5b6-d8715e8eaa79.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5ff0b-ddf3-4817-a403-d25c9917f940.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdbbd813-ff84-49d2-b667-7c3c618b2530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697b6704-5d7f-45da-a971-2efbdebeefd9.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eaaa74e-e353-4d0e-9dc8-c4ed4bf1fb52.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adb2b0b4-7d46-4c2a-9902-c989cfbbc09b.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc153a04-e34e-4827-839d-8fba6f7388e2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8841600c-42f3-4b5c-b183-ccb903205101.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\585a2c84-cca9-4d29-8261-4ec3402366aa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8caae27-9492-4a14-843d-2df65afce10b.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\053e6fa7-0562-42b2-832f-85331e4db59b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e33050-b105-4e5d-b2cd-deb3884399a3.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cd76fb-c208-4588-a8d8-c7901cef6689.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d8017e9-61ea-4158-b560-f95709749f40.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3184a355-ca44-4f20-a56b-d3a17ecea68b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3f8ee90-d0c5-448d-9954-6b5784cf6073.vbs"

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9765060a-04ff-418d-a6cf-1359912d5570.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81f5eb6b-20c8-406b-9b43-e531f61205d1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/2356-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

memory/2356-1-0x0000000000210000-0x0000000000704000-memory.dmp

memory/2356-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

memory/2356-3-0x000000001BAD0000-0x000000001BBFE000-memory.dmp

memory/2356-4-0x0000000000720000-0x000000000073C000-memory.dmp

memory/2356-5-0x0000000000740000-0x0000000000748000-memory.dmp

memory/2356-6-0x0000000000750000-0x0000000000760000-memory.dmp

memory/2356-7-0x0000000000A70000-0x0000000000A86000-memory.dmp

memory/2356-8-0x0000000000760000-0x0000000000770000-memory.dmp

memory/2356-9-0x0000000000C80000-0x0000000000C8A000-memory.dmp

memory/2356-10-0x00000000024D0000-0x00000000024E2000-memory.dmp

memory/2356-11-0x00000000024E0000-0x00000000024EA000-memory.dmp

memory/2356-12-0x0000000002570000-0x000000000257E000-memory.dmp

memory/2356-13-0x0000000002580000-0x000000000258E000-memory.dmp

memory/2356-14-0x0000000002590000-0x0000000002598000-memory.dmp

memory/2356-15-0x00000000025A0000-0x00000000025A8000-memory.dmp

memory/2356-16-0x0000000002630000-0x000000000263C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCXCF50.tmp

MD5 a1bce312b028723b0cc7b3714d99dc65
SHA1 36b5e16b84b7e5c0c45d2b0a27561b47de00d336
SHA256 0f1ff3c74195bae101e12ba97bdf2842e3b5ca532544c793e12057312f05e047
SHA512 4485e61e5de1f040cb3d56f207e6a3836871143f39f7366c8ecf518acf4dac553d42d23430430c7f2126d8192ccc92d65348d261d4fd6801c3a025c4fe698335

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\dwm.exe

MD5 4e3ae6b4f8ea1c5d2fb3a8bc008e2fff
SHA1 22329e6ce220cce52f7dde6e03c082d31f27bbae
SHA256 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA512 6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c1bcbafb1d4583090da97dc3611871e2
SHA1 a771535141d2df68338b1b491627b4581eaa59ff
SHA256 8f9904f0bbbaf0a709c47e409624326aa5a38e0e2e7b3b2f4cbe90ad9ead4bcf
SHA512 4be1a6b8a17f9faef1d961c9ec5352f92e0c7f5786146fc9ed6dcf49f46ebd2df18e7914329e55dbf885f2f3ec211345c2f4a4d26677cd1488a55b0c3465031f

memory/2400-72-0x0000000000EF0000-0x00000000013E4000-memory.dmp

memory/1508-78-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/1936-80-0x0000000002910000-0x0000000002918000-memory.dmp

memory/2356-90-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

C:\Users\Admin\AppData\Local\Temp\ed063ad6-4f2e-4072-bbb8-5f6fbd6bb9db.vbs

MD5 338f021b8bc4a747ca7fc9efb16b52b3
SHA1 e068a334de0fe95a8ebb1cbcb8c75b264ed3b964
SHA256 d1e59f2505c41ae89429814eb8f90d5fcb8bbb86cf5e210ccc884ace148e9326
SHA512 351c0e45075dd957e03a9b7c483ff8b7136341d8f28d2202126611e301972c2afdf38fb29f174aab4a4a0822d3b73bd5f281a9c4070af14e7d59fa4118bcf5b9

C:\Users\Admin\AppData\Local\Temp\83633363-49e1-4e88-b057-2f89bcd75f4d.vbs

MD5 1dce60531468ab3af35cc1127516a48c
SHA1 4c0d6a668cc27daf94db525f96df9762a77e6e65
SHA256 82ca855894f37d83e84203c2244e1e7295bce092a2932e43dc0215608e2e39aa
SHA512 032dae7a18bee8b2e960f11d4decc33a0eb7bca3f4702125c73fa2dafc173fb75d8fa056b26528a1d10994b84ba01445a8a5b37a62ca3b8f1c24ad2f2c02c7f5

C:\Users\Admin\AppData\Local\Temp\947d8181-c07a-444d-b5a4-fc1525bb5127.vbs

MD5 048193943b139d33eae3aa5a9a77a121
SHA1 ff0d68a671c96ceab8271e10d07cdb71d4083bb5
SHA256 bce55f64b63107f3d85107d9f96ef01fd11c880e389085e31e0d75832d4a74e8
SHA512 cf567ab0d47a3d5f6b784129f279504a704ea7b3613ce32073e1af456ebad664e630724389055d2f8bf8b615142720bb2ad6e4629eb9b22375eb827a6a0a912f

memory/1272-150-0x00000000000B0000-0x00000000005A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd4425e2-9e96-457c-ad60-10f1ec4afd3a.vbs

MD5 1607771ce9edc61d22135b3f59891f14
SHA1 7ded0831e2456333e0681d9af81d1a5b4700b22b
SHA256 98b424d639f709992b1fbcc624d512e7370146e99c4ef3cd765deae4c7847ce4
SHA512 ebe975f9c4b59b9efb2243904b2cca414e05e16ec1f8969efa1fd9d89aa82236d3e7ba12548f8b9d33504a781753cab8f840325f86f3aced1d41e5321163ec2d

memory/1216-165-0x0000000001080000-0x0000000001574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\be5f20e8-0050-4bb6-b5b6-d8715e8eaa79.vbs

MD5 7e705f7748b6d5fc7398899e12eac143
SHA1 db6e7381e5a89c1bde1097bf85fb7c08434c43bf
SHA256 5ed866373e3a41566c221f550d313a445b3002a4de15f16eeef1c8fba932d0e2
SHA512 70d40b34229eab9f793c517815a43a21a30201e5da044f589529da5ef0439ce54de8fd3082f7044cbf19bbc10eb363258bb5d171a99d3fc26602150eeb1bd732

memory/2428-180-0x0000000000050000-0x0000000000544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bdbbd813-ff84-49d2-b667-7c3c618b2530.vbs

MD5 809491d5a47fb9bc12eb5432dbdb9294
SHA1 f71fd73f28049970e9285847ac0d632cfe66c547
SHA256 7450762562157f481bba96127b78bb654912bbfe4165d3c8fcd6ab89574de5f2
SHA512 e1bf88fbb8dc5a95063c4a056b743d12a82f153afa88ca7cb657d0c60af59bcb216e479947ba4b7a45192b275e566dc0e163159a70b5e0249339545264413b86

memory/2572-195-0x0000000000170000-0x0000000000664000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8eaaa74e-e353-4d0e-9dc8-c4ed4bf1fb52.vbs

MD5 d3970d4fadf31f4c7e73788e84f21a24
SHA1 1979dd8e5ff8c1001549d0e9d5b781985b6d50f7
SHA256 48ecd8fe6ef717c90ba05c12925a06210ccc4394e3fcd30b1e507342d20fe6f6
SHA512 97bf442b46188bd0dc618b89bacae31a9432cef2d388c3488cbc4e42b5ca1eb40559bbfcb3f1a438ef1fba3e4efb01138da5b0f64df0fd69cb9b72b778cdf1a3

memory/880-210-0x0000000000950000-0x0000000000E44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bc153a04-e34e-4827-839d-8fba6f7388e2.vbs

MD5 2881335ef8d9ef33f614cc2d47ff1d21
SHA1 403161fc3e9873f14563a853bc54e0d44ac6d538
SHA256 fc73418ef6fc009d5809a207aaef45a740c9135120050251e517cb23d1edc0e2
SHA512 b123bfb671d45e37948bfa79eb2ea49436e215cf333fd6ba58bc05189a7078aeb1106cd7cc52cce490c9dcb4c4dcef8b89e98adaf1913a0965560fa56811cf7e

memory/1664-225-0x00000000007B0000-0x00000000007C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\585a2c84-cca9-4d29-8261-4ec3402366aa.vbs

MD5 c39de33b0b18c7e387629cba225bb503
SHA1 da0378a48652906ea9d2c9f92758bc801bd37064
SHA256 b99ccc78c5eff9da2d0d177a220591c3e7ded7f9ba17af7c1982580587910899
SHA512 f6e37c94cbd9b8ad6a7ea1e16d687f09d15b46a165e207a6cfc1479d4a1255c4f132a259d3fa90f5cbc062d5af6ef3491c2d074ab0a262ba163e268eede1ef4f

memory/3024-240-0x0000000000AD0000-0x0000000000FC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\053e6fa7-0562-42b2-832f-85331e4db59b.vbs

MD5 32e3773bb9f82e60f0e70bef6c166839
SHA1 f147c59cd47b9db09f3fd2f3e7b30fd56b27e576
SHA256 9e0dc99791378c204df50295ca2e4a2b7e04849e12d2296ca6272d7c1382d751
SHA512 422d544049bc9dacb378f2e27c3c88c445a31e296dbff48fc23520dcc455b314bd6fbc0960821a304ffebc51ea87d6d8bce389a25ba22e6fe782f30eeb695b1f

memory/2592-255-0x00000000002E0000-0x00000000007D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09cd76fb-c208-4588-a8d8-c7901cef6689.vbs

MD5 d5cca9233b58e20bc52e738d3826b526
SHA1 1f429467472e9addbabe5aac8803d7830fa4a436
SHA256 cce09abce992d6b9fb9942b5178969b662d131e65f8e6ff944ed0de0881a9b92
SHA512 c1a9bb24db67e83659e0362a0c5818f5dab8d0b63c08774fbed1e7cd8ee942961060d0998e5f81ce43575e0bce44742362c63f45c46d814fb1ee3ac3dc4353e3

memory/3036-270-0x00000000012F0000-0x00000000017E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3184a355-ca44-4f20-a56b-d3a17ecea68b.vbs

MD5 4580a5a32d91e586fbb4123e9e762c54
SHA1 c29fcc395759211865c5e6420f38f5b517425ed6
SHA256 cd77b90fed02c854d809bd7705cc76705d0ea81568d0f5ecb65bec1f59f1159c
SHA512 13d85a736fbfde598f068c0e73020066c42a3bb237117f60b13f727e462bc6c56e801f4591e99d43b19729323f3a68ea64da8a57bdb5205dd8ed081506b83de3

memory/3012-285-0x0000000000230000-0x0000000000724000-memory.dmp

memory/3012-286-0x0000000000990000-0x00000000009A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25e5c97c67c57ef9b1ec77b808c3fc3df07db528.exe

MD5 8ac2c588d98fef05c0e92611ba5170bd
SHA1 36913efb1e9195d196970b3d5a9609744f7cf3a0
SHA256 15866298cfdcf9ebd3ce1bae8b0679c951293ba4e2c7b63d5a228209df679fcd
SHA512 26449becd15e1400735ed02c79440857600ca1bf86481d9fbe8ef4ce12e8d976ed341e9b10d298d8c69f945f4d6df5511949a4b8fcf13e7c38354037866a0f96

C:\Users\Admin\AppData\Local\Temp\9765060a-04ff-418d-a6cf-1359912d5570.vbs

MD5 22d14df990fb4ed48931309e48b423cc
SHA1 fe3a5eca6f2ddc39c3c6b34aeab88b8118c0c4e0
SHA256 41b6b1ef45f7ddd3a0c3ffa29d4b0a00fcc98feb28cb8e216cab130b9b854349
SHA512 6bc4dab26ccdcd390fb262b42bccc0b219628455f80cb447c665f9cf89a02f75d5c4b3ea7b99fb94fa63e5aa82e9404e867d0f72ff4859623d548c02a6bcd2a5