Malware Analysis Report

2024-12-07 14:17

Sample ID 241120-edbpqs1dkp
Target ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA256 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847

Threat Level: Known bad

The file ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847 was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Process spawned unexpected child process

DcRat

Dcrat family

UAC bypass

Colibri Loader

Colibri family

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 03:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 03:49

Reported

2024-11-20 03:51

Platform

win7-20241010-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\56085415360792 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\RCX1B71.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
N/A N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Cookies\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 3032 wrote to memory of 2684 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 2684 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 2684 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 944 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 944 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3032 wrote to memory of 944 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2684 wrote to memory of 2000 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 2684 wrote to memory of 2000 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 2684 wrote to memory of 2000 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 2000 wrote to memory of 884 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 884 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 884 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 856 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 856 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 856 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 884 wrote to memory of 2740 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 884 wrote to memory of 2740 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 884 wrote to memory of 2740 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe
PID 2740 wrote to memory of 2600 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2600 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2600 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\Cookies\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 1808 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Cookies\WmiPrvSE.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Cookies\WmiPrvSE.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\Cookies\WmiPrvSE.exe

"C:\Users\Admin\Cookies\WmiPrvSE.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d512a23-a4e3-42ab-803d-a234a2a9df0d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e83e84e-4be8-43cd-bdb8-117aa6237fa6.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1763930-92ac-4d53-af0f-3621aa4c20e6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1676f4-4e7a-4495-99aa-72a3149551b7.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55252e5f-6d24-4a62-a47a-9f4e39d79f40.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af99892-4a75-44b0-b0b9-95db8e6596fe.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bff3c35-cd3c-4b8e-ac30-750c6dc4d5a7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4030b3ee-3f08-4ab0-8b95-b91ac2d11434.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d90837-e3ed-4606-8ba4-0840da34968c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c934e922-3cec-465b-8014-49faacf9f9b1.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08eff61-3fae-4d1b-82fb-32dc7137eaa5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ba7ae6-6868-4fea-b3ba-2731963cfd6d.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f55063-d043-4df2-8c53-2fd0e06b2d47.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47628496-a2ac-4013-b760-36468519d37e.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd69200b-182b-47dc-a3d0-c36757f9ff9a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae68b5be-48a5-42b7-865e-cdd9d3d010e4.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16479034-82db-4c3d-af5c-fd8296a722e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21ac5a72-85ea-47ee-be12-2e39c331b5a5.vbs"

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Users\Admin\Cookies\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe4cbba-3d2f-4142-9604-01c92a051de7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f8d115-696d-41fc-bba3-9df05642fda1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/1764-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/1764-1-0x0000000000EF0000-0x00000000013E4000-memory.dmp

memory/1764-2-0x000000001B440000-0x000000001B56E000-memory.dmp

memory/1764-3-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/1764-4-0x0000000000480000-0x000000000049C000-memory.dmp

memory/1764-5-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/1764-6-0x00000000004B0000-0x00000000004C0000-memory.dmp

memory/1764-7-0x00000000004C0000-0x00000000004D6000-memory.dmp

memory/1764-8-0x0000000000560000-0x0000000000570000-memory.dmp

memory/1764-9-0x0000000000570000-0x000000000057A000-memory.dmp

memory/1764-10-0x0000000000580000-0x0000000000592000-memory.dmp

memory/1764-11-0x0000000000590000-0x000000000059A000-memory.dmp

memory/1764-12-0x00000000005A0000-0x00000000005AE000-memory.dmp

memory/1764-13-0x00000000005B0000-0x00000000005BE000-memory.dmp

memory/1764-14-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/1764-15-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/1764-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

C:\Users\Default\OSPPSVC.exe

MD5 4e3ae6b4f8ea1c5d2fb3a8bc008e2fff
SHA1 22329e6ce220cce52f7dde6e03c082d31f27bbae
SHA256 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA512 6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7cf70a377a9839411de49bf1f4f61773
SHA1 4be1676995c3a8be69377425b19358bf78492b6d
SHA256 d79eb408b86d6bf0c951b7654d0cd285ea0a309b7e7be49968216a2b1007f6e8
SHA512 9e1ce5946b9811e0d0914087445c758911970a44b0907a467f03e3ae6da42d95860e78d0f7d15b336b80ae1bfe5264276a56e65b1e873d03091501d59f7c9136

memory/3032-82-0x00000000012A0000-0x0000000001794000-memory.dmp

memory/1764-119-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/1924-121-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

memory/2664-120-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp30D0.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

C:\Users\Admin\AppData\Local\Temp\3d512a23-a4e3-42ab-803d-a234a2a9df0d.vbs

MD5 5296bc5801741202c188e76bcd3ec34b
SHA1 4047e409a26316b0869fae6da236f15f95bdbe0a
SHA256 d025fbef86ccd5d57cd0318ac6b0bf61a750d7da5d7277fd9f012aff2d82dfd3
SHA512 23f37d8ff8297e1a9131f5656a6a10edf74dc28575feaf04eb27bd3ed080b5c9daf436f22e6eda387ba55b74823c6d44e55810bd892189a7ae7cc06ca34f1b51

C:\Users\Admin\AppData\Local\Temp\1e83e84e-4be8-43cd-bdb8-117aa6237fa6.vbs

MD5 e44534f976685c8ecffe7f60fcf84bcf
SHA1 41e39347dfbaa8dd658db229fe1fa6f2c63305ec
SHA256 217e48b7a62edfc3ddb02d8c899b457640fdec39fd0859d12475c85d3397a747
SHA512 65a7dc8d674b5c1112740937fa2836e6bcc5fd2c80fd23aa95b01d05f96e83856e504becdacfd36711e76c744c9d11600a1fa1a29d5db3742be0a4e5e5866439

memory/2000-135-0x00000000006E0000-0x00000000006F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b1763930-92ac-4d53-af0f-3621aa4c20e6.vbs

MD5 3b453640376770c7ed9ddf19a4a49139
SHA1 ddf919357befa9e5d7bc7d210ac0f4eea71aa647
SHA256 f6545dc69990bfee216fedcdc748c920856604796631c0b7efe58a77890411fa
SHA512 0ccad00af4bc524b105130ebd3af9f3ddb39ff987ca236a4d8870db5cb66f3d8965515baeb76e044b894f720c6277af2eff9b05fe9a74b3265978054a5572622

C:\Users\Admin\AppData\Local\Temp\55252e5f-6d24-4a62-a47a-9f4e39d79f40.vbs

MD5 a51b0a52ff2cd2c7b51a4c64bf8cfffd
SHA1 c1675049f02994d0b802f29f3a733b474a244881
SHA256 7418d306a388ddd5f5086e152f3e4a58f2a43f4c1be6041276aaed32ff723cdb
SHA512 813bf50f4fde98e87a587fe241bfaaacebcc9d6cea0a804fdf7f98f926f360553b4a55ee38ff76cae4cbb665fd2ba8a98a7c198735ac007038d4a0e638770b82

C:\Users\Admin\AppData\Local\Temp\1bff3c35-cd3c-4b8e-ac30-750c6dc4d5a7.vbs

MD5 3eb62b339662e510e0ddc515e0581108
SHA1 b934f40d37922f28e4d60b9f41545eb3304a1a42
SHA256 42b5dd133d877a0fcc1a5cb28add526170edac04130cfeee5826125dfb3ddcd1
SHA512 b2d697ba4b14dbd828a67c35aa94aa80d8fa867387fcd6e2edda83653e831937edde4151488620ac6d782bf0638eb5c4e28297a0fe161853d5c347a07857055e

C:\Users\Admin\AppData\Local\Temp\00d90837-e3ed-4606-8ba4-0840da34968c.vbs

MD5 0aaeec535e77a477cec4b931dd15d356
SHA1 4324739e9408728e33d31f440618cf52a16aa959
SHA256 7df9d7ba20ff6eadf57d6980c8cabcda6460f0ec101f5fcaf89f11584314607f
SHA512 5914292535f932e9def5bcdd3eba10ec8acfbab258902bbdce0a9ffd81afaf6223597ee5dc4a9887896bb4aaad8d38159059b53407c15948026bf97557ae64d2

C:\Users\Admin\AppData\Local\Temp\c08eff61-3fae-4d1b-82fb-32dc7137eaa5.vbs

MD5 2394902cc50ab9f660fcc18339183e69
SHA1 467828b66e3444d0966889eaf7667df78306d7a6
SHA256 ceb858c7cf99a0c1519b3a87a63135485bf90432a011b7879d0b9c925643fbf8
SHA512 c22aeefd1224fa19eedb4669c90608fb1f0af79ee39c7c1d9e9cf44b24aca16ba75a6bec6daadb32b57c3ea8bf2b262f0fcb69d9a790576d927f8ba2307a2184

C:\Users\Admin\AppData\Local\Temp\f2f55063-d043-4df2-8c53-2fd0e06b2d47.vbs

MD5 6b3ca7647177a30ce885ebc8f15ab0fd
SHA1 bcdcc238b8f2caed2ddf094abfd5ffd7a26020e4
SHA256 2386764d46738eb40ff40a4fd8e1d47bb6d7c921341bd685b8f1acca0eb665a8
SHA512 5f7b0d9de698dc9ce753b556202714472dbca92bb249215f768a5cc45dee580b7a67b8cec999a14a64b13376a05da08aa2f32a72bb99f10336c2f79fb90570ce

C:\Users\Admin\AppData\Local\Temp\bd69200b-182b-47dc-a3d0-c36757f9ff9a.vbs

MD5 584f04ec0a3897cf41a8ebe92be3b0fc
SHA1 da3ae586c4554170601f3bdc790fc920ca562142
SHA256 33c7d8003e88d4337c728aeea9d1dd75104d27da8346b67c393d2846f138ead1
SHA512 e33f9b4a61f808ad206357b4f80ddd50cbcfb11e303019a66095c3792c644fac135fe41d2d21d88b8ad051f6fccacd20077c44340ce9fe109870f0ee339ca11c

C:\Users\Admin\AppData\Local\Temp\495ed7a571ccf08ae8b9f094a66930378fbbab46.exe

MD5 9f858c55cd3f0a35a565230f3111e077
SHA1 8078ee58f72ba679148a77ccf7349df29a152c92
SHA256 cbec168771bb5e467f8a02a550d3d8d28e61e1e917d425e3df3196954ecf42d8
SHA512 0995d1a792236aae5262074ca145d027090478b6661d976f220ff7ba2a4fd5c05ce0268a368f177c593db44b864b8164176be76811a6aba31a7b38206337e537

C:\Users\Admin\AppData\Local\Temp\16479034-82db-4c3d-af5c-fd8296a722e3.vbs

MD5 2b4884943050a1d7482f567f817e5eee
SHA1 30a20e688788208bc93f7ea3cfce5db48e03fcac
SHA256 1f51faec70f14dbb0744f75798a054219703be45ceb4bdf9a1c04981c952cb5f
SHA512 2a0abc0067117ec06c5f07c57ceeaebf7e08cbfdc4b194da0364a4677cfed4435185f088d8f75dcbbc4df3255da6496b7550e51080595892e41659cec6fd900d

memory/644-248-0x00000000000B0000-0x00000000005A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bbe4cbba-3d2f-4142-9604-01c92a051de7.vbs

MD5 f75095c435cc54b4e872de1922eec7e0
SHA1 067a73f11aab870862f54b5068d4c81d99580a94
SHA256 1c6d766b1888932ce6b40de36a29c96997d31761af011f78415cae48ccee05b1
SHA512 367e4d50ee302739472a29639b758ed5df4816650f9cc9e44df4804ba2f0d60cea78e32f64ee7a1665042d6bb5d89a7dc76c376ae14d814a96931756844cd9ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 03:49

Reported

2024-11-20 03:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3428 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 4772 set thread context of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4780 set thread context of 4228 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 600 set thread context of 4756 N/A C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe
PID 2228 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe
PID 3616 set thread context of 4488 N/A C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe
PID 924 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe
PID 2432 set thread context of 4592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe
PID 696 set thread context of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe
PID 3440 set thread context of 4460 N/A C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe
PID 1836 set thread context of 1524 N/A C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe
PID 4436 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe
PID 2236 set thread context of 3984 N/A C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe
PID 2984 set thread context of 2272 N/A C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe
PID 1936 set thread context of 1552 N/A C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXA809.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCXAA1E.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Windows Mail\Registry.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXAE65.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Google\winlogon.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Google\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Common Files\Services\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Windows Mail\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Common Files\Services\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Common Files\Services\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCXB28E.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Google\RCXC1F6.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Google\winlogon.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\Windows Mail\Registry.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Program Files\7-Zip\Lang\services.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\services.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Program Files\Common Files\Services\RCXBD61.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\RCXAC51.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\ServiceProfiles\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\Resources\RCXC40B.tmp C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File opened for modification C:\Windows\Resources\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\ServiceProfiles\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\ServiceProfiles\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\Resources\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
File created C:\Windows\Resources\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3128 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3128 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3732 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3732 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3732 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3428 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe
PID 3128 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3128 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe
PID 3128 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe
PID 2652 wrote to memory of 1092 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 1092 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 3496 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 3496 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 4772 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 2652 wrote to memory of 4772 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 2652 wrote to memory of 4772 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 4772 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe
PID 1092 wrote to memory of 4984 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe
PID 1092 wrote to memory of 4984 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe
PID 4984 wrote to memory of 5052 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 5052 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 2952 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 2952 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 4984 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 4984 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 4428 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 4428 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 4428 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe
PID 3644 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe

"C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Resources\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb466840-4b62-40a8-ac3a-ef0741364723.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe795a7a-8d4d-4208-b86c-1c388b271876.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDA43.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfbb0f3c-825d-4d54-8211-9e4b1a361ca7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16c48e2c-5c65-43ad-af05-52b7fd25172e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFD7A.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce13dac-27c2-4ac6-a3f3-1a2f33368970.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3121c14c-6388-4da2-8a52-24fae82deb00.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92ac109-94ca-4197-b5b4-10767a6c5d0b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b2705e5-46e1-488a-a227-f0fac3473e57.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6571ec13-48fb-4911-a082-a0faeaf27c1b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\381a081d-5fc3-4e50-86a9-3807639ffa3d.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6C90.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb38ef5-a7b6-4342-a01e-cbd70664b293.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00e16353-efb7-44fb-8257-d7bd28a5faee.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a66a8a32-0b47-4415-b42d-b357d0bd0421.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06f8f283-0c10-449f-b04d-d419f320ef48.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD31A.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce74a118-57d3-4c36-90dd-6a04fd09b199.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d9256d0-29bb-4a0e-b912-57075663c26d.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C9.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\397f7497-f604-4428-9aa5-2f3cd850aeaa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f52059-cb17-4be1-adb8-7eecea553e4c.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2169.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0807d7f-9856-4add-bc10-928918fec317.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1648557-3de8-4798-8f4f-2e39aec6b40e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3E38.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3de4a5a6-438f-440c-bf20-cdaa29bf498a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1c4d80-f1d1-47ac-bedc-51c0fb0f60e6.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5BB3.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61d4b5f2-72f5-41b7-a05c-4e1ede6e6bbb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1339d234-dfb0-48c7-90d5-27ef00b1b0ef.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DCF.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44c07703-5e53-4f7d-a0e1-76ddb812191a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85c0dc71-5d7c-45ba-918e-137ee1be7789.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAADC.tmp.exe"

C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa2b22c7-389d-4e04-bc50-0a150b078d71.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f2112e3-9f9d-42a8-b739-e026233a4904.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDB14.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/3128-0-0x00007FFE43B83000-0x00007FFE43B85000-memory.dmp

memory/3128-1-0x0000000000B50000-0x0000000001044000-memory.dmp

memory/3128-2-0x000000001BE60000-0x000000001BF8E000-memory.dmp

memory/3128-3-0x00007FFE43B80000-0x00007FFE44641000-memory.dmp

memory/3128-4-0x00000000032A0000-0x00000000032BC000-memory.dmp

memory/3128-7-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3128-6-0x0000000003140000-0x0000000003148000-memory.dmp

memory/3128-5-0x000000001C590000-0x000000001C5E0000-memory.dmp

memory/3128-8-0x000000001BDB0000-0x000000001BDC6000-memory.dmp

memory/3128-9-0x000000001BDD0000-0x000000001BDE0000-memory.dmp

memory/3128-10-0x000000001BDE0000-0x000000001BDEA000-memory.dmp

memory/3128-11-0x000000001BDF0000-0x000000001BE02000-memory.dmp

memory/3128-12-0x000000001CB10000-0x000000001D038000-memory.dmp

memory/3128-15-0x000000001BE20000-0x000000001BE2E000-memory.dmp

memory/3128-14-0x000000001BE10000-0x000000001BE1E000-memory.dmp

memory/3128-13-0x000000001BE00000-0x000000001BE0A000-memory.dmp

memory/3128-17-0x000000001C5E0000-0x000000001C5E8000-memory.dmp

memory/3128-16-0x000000001BE30000-0x000000001BE38000-memory.dmp

memory/3128-18-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

C:\Users\Default\wininit.exe

MD5 4e3ae6b4f8ea1c5d2fb3a8bc008e2fff
SHA1 22329e6ce220cce52f7dde6e03c082d31f27bbae
SHA256 ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847
SHA512 6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655

C:\Users\Admin\AppData\Local\Temp\tmpA7DA.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/3360-71-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3128-148-0x00007FFE43B83000-0x00007FFE43B85000-memory.dmp

memory/3128-163-0x00007FFE43B80000-0x00007FFE44641000-memory.dmp

memory/4776-220-0x0000023428370000-0x0000023428392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhak1k1q.wj5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3128-331-0x00007FFE43B80000-0x00007FFE44641000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\eb466840-4b62-40a8-ac3a-ef0741364723.vbs

MD5 a165ff81946463a0d2702d07b210fd85
SHA1 ca2288f27b18b13936b2de99e4d04267e4e3f679
SHA256 2bff861f4584aa68b2931a6f8bdb6d191bd2402249a6f386aedf4e1808f9f07f
SHA512 3bd437773cfcfa7a181ee965435621f1cf9306e390b53865dc387949f880fb0e80168bc63581ac0335049e51681df426c738823a8cc45835e30c82637c4540a8

C:\Users\Admin\AppData\Local\Temp\fe795a7a-8d4d-4208-b86c-1c388b271876.vbs

MD5 1519cc3b8661022eadb8dd9c34a6cfc9
SHA1 3a6eb73a9612096df283e678c938f9ea34c8dfc5
SHA256 cb628c44d0d31b64d44c070b73aac96413acdee2899188f215cde25fdc694823
SHA512 c59d584de8a649d6bde51f497ce1f9aa1d0a9ab5aeb7df73794c8c8ce05fdf8ab7ae24436c098f110eeb87602d9e8752a13820a64f58830c3498bcfe1de832be

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\dfbb0f3c-825d-4d54-8211-9e4b1a361ca7.vbs

MD5 09c6c9e7c78130e9f0832a77d08f2765
SHA1 1dbb65712784739e1778846230e976664a39b71e
SHA256 364619738e877d6cd99a168aba83aeac6daac066a662bf65fc90a0366781851d
SHA512 013d54079987370e1b6c204f744c44e8d436eb6337901066648566f69275aa4fdc7ec5633b2faa2e9e1f72980bfc6421278d9d92534d63dd5f1211190e53f33b

C:\Users\Admin\AppData\Local\Temp\6ce13dac-27c2-4ac6-a3f3-1a2f33368970.vbs

MD5 325129033a3cd987267eb0a8291d00bd
SHA1 b90c2d8516947af7bf3afa73550393409c122e6d
SHA256 342ebbe0a2179a2dac482df8898d131c145ec3116451baee6089b737a16b47bb
SHA512 bfb0e904079a1f341d72b1444f36003f7c3ec1ca4df8143c14831caa187434af848514e292df011810adb7658fbebebfb439769011e5ac4ced9faea3266e7932

C:\Users\Admin\AppData\Local\Temp\f92ac109-94ca-4197-b5b4-10767a6c5d0b.vbs

MD5 41be48b3911a80bffeba8ca81a75a5d3
SHA1 dec48a42d78dceac0c01cfd182b50759ac901d36
SHA256 fe5ad8fbbf6b7b683da964b24e029bc4ae6669abec32035522d73f4c049dd1f1
SHA512 7c7761833453250a48d162f87974551b6dc3e0a7799d0dd120a7d75dd266f498ceafb1d598cf72adf9e49b0f39e8ca97d2375ccd32304c6299f2549b4f9ce1a4

memory/2876-452-0x000000001CF70000-0x000000001CF82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6571ec13-48fb-4911-a082-a0faeaf27c1b.vbs

MD5 70d2e5e96e500601f38a178dd306a311
SHA1 161ec76c1cbc99761ce00a5089050380c63fe463
SHA256 3663d42b9dd8bb870ae078ca661c3223abf91d32277d9ac5b5c6d2e08edc352d
SHA512 1611618142560b6c2706b0de72710248cf6b2c857ebf3c8a9b3a9e334b362f5b72c6744f0cc725ee248183c0f8a2fef73818160f4ea309ad5b3b722714c5fe09

C:\Users\Admin\AppData\Local\Temp\8b5ac014d8ac2268fd926d83b93136c0f489a137.exe

MD5 5ee5401dc1f866e4a487c78aef4967fe
SHA1 5d754577848c58b411cfd8ca2723bab30d747175
SHA256 7e21eb0fe0a171b6807e4cca1d499d10a7d6cafb1b7a67f3c570ba74377f0f52
SHA512 da4f777bb3d34917efa757f00ed6ea6af3dc5f823d48de880276616461fe58c3fa9256ac6e226a22de7805fbed6b1774c6ab2d753eabffe3e55f98add13195dd

C:\Users\Admin\AppData\Local\Temp\6cb38ef5-a7b6-4342-a01e-cbd70664b293.vbs

MD5 0ea6d49350c99f3eb3da30dfbe0f5c91
SHA1 951d98039f0d866499cca1dc5fab152d0f87482b
SHA256 059c91ec6deda2a4a40b10a7ac4ecda482ef479775b6726f50f46a45290d3679
SHA512 6a131afbf3443ca7cda27d700ba5e1d8d34c5653bbb323b3dc34f13b24b66cc52ff7a334107bd754b729f893afef549c91e3e51deb6c43eafe3ef78a727c48d3

C:\Users\Admin\AppData\Local\Temp\a66a8a32-0b47-4415-b42d-b357d0bd0421.vbs

MD5 49e9648175424d3de21945ad6f25b966
SHA1 272c46ad932fe9e5026e7ca01a0291d02e6ac095
SHA256 934f20ecb1b967847233cd2bec2736fff88d3c8003b7f4074200ba688bfa37fa
SHA512 f43fc2d5595e49cb56259a7941c4bbaa585bc0bf48c27a9f0a9ecf6c0aee4333bd8b0f7f3752a0c153747fb92186af62e31b71d2d4d40b903b7147a327a86843

memory/3164-535-0x000000001D6A0000-0x000000001D7A2000-memory.dmp

memory/1052-552-0x000000001E050000-0x000000001E152000-memory.dmp

memory/2548-569-0x000000001D690000-0x000000001D792000-memory.dmp

memory/4584-608-0x000000001E100000-0x000000001E202000-memory.dmp