Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-xwg9ca1akh
Target dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe
SHA256 dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e

Threat Level: Known bad

The file dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

UAC bypass

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 19:12

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 19:12

Reported

2024-06-17 19:14

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Sidebar\56085415360792 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Mail\en-US\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Mail\es-ES\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Mail\es-ES\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Sidebar\wininit.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Mail\en-US\explorer.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ModemLogs\System.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\ModemLogs\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1072 wrote to memory of 552 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1072 wrote to memory of 552 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1072 wrote to memory of 552 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1072 wrote to memory of 900 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1072 wrote to memory of 900 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1072 wrote to memory of 900 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 552 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 552 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 552 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 552 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 552 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1648 wrote to memory of 1984 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1648 wrote to memory of 1984 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1648 wrote to memory of 1984 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1648 wrote to memory of 2612 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1648 wrote to memory of 2612 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1648 wrote to memory of 2612 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1984 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1984 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1984 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1984 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1984 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2492 wrote to memory of 2956 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 2956 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 2956 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 2528 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 2528 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 2528 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2956 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2956 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2956 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2956 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2956 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2340 wrote to memory of 2872 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 2872 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 2872 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 1132 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 1132 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 1132 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2872 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2872 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2872 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2872 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 2140 wrote to memory of 1888 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2140 wrote to memory of 1888 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2140 wrote to memory of 1888 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2140 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2140 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2140 wrote to memory of 2324 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe
PID 1596 wrote to memory of 2348 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1596 wrote to memory of 2348 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1596 wrote to memory of 2348 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1596 wrote to memory of 2180 N/A C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1209ac36-37e6-4a45-ba91-57586b43b064.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ddf5c4-382e-4679-b693-5ad5a78b2259.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26542d94-f5bf-4600-b86b-53630aa76301.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25837b48-c089-432f-8277-e37031b10fbd.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\711f9d38-b19d-4777-82ab-dcdbf77b4d53.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20e8bc04-bca0-4aa0-8b9c-7c2758fa65a8.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\900897d6-dec2-4f52-b21b-7e7d9f00be85.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\168b88ab-bfec-432e-ac78-af293157f8a1.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83c8dd7c-d066-453f-88ef-e720ba62ea52.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a79acb-af67-4d64-91d6-47520cfa8bb7.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\583d26d2-553e-4996-9bd9-145acfae3a22.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaccf0b9-a9fa-4d40-b50a-65c61b7ac7c7.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50d3256-ebdd-4e47-b48d-85ba91e7f9b6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59e6b152-8cb2-4eb9-a5c0-d0c8f16a1bf6.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aae94fb-5f5f-43cd-ae85-434a54ceb8c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47df339-cf19-470d-bf3a-f212168332f8.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5caa41f9-3b02-48bd-bc1d-c09fc1fc1676.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b8fa5c-9e09-4914-8b10-9af0090d4a9f.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f6b5962-c76e-46a3-833b-e3decab666c2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\382cef23-72a5-46c0-8a73-540ab734ebf3.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9678d6-b217-4f9a-b995-9f258c76925d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fd22ee3-c0c4-4e6e-874f-83cd7a000f0f.vbs"

C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe

"C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b248cb7-7129-49e0-8057-999bdd10dffd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d2785da-5092-4e47-9aa0-ef7cdf5eff7a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0993445.xsph.ru udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp

Files

memory/2060-0-0x000007FEF5A33000-0x000007FEF5A34000-memory.dmp

memory/2060-1-0x00000000012A0000-0x000000000160A000-memory.dmp

memory/2060-2-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

memory/2060-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2060-4-0x00000000003E0000-0x00000000003EE000-memory.dmp

memory/2060-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2060-6-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2060-7-0x0000000000620000-0x0000000000628000-memory.dmp

memory/2060-8-0x0000000000630000-0x0000000000640000-memory.dmp

memory/2060-9-0x0000000000640000-0x0000000000656000-memory.dmp

memory/2060-10-0x0000000000660000-0x0000000000668000-memory.dmp

memory/2060-11-0x00000000006D0000-0x00000000006E2000-memory.dmp

memory/2060-12-0x00000000006B0000-0x00000000006BC000-memory.dmp

memory/2060-13-0x00000000006C0000-0x00000000006C8000-memory.dmp

memory/2060-14-0x0000000000B80000-0x0000000000B90000-memory.dmp

memory/2060-15-0x0000000000B90000-0x0000000000B9A000-memory.dmp

memory/2060-16-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

memory/2060-17-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

memory/2060-18-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/2060-19-0x0000000000C10000-0x0000000000C1C000-memory.dmp

memory/2060-20-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/2060-21-0x0000000000C30000-0x0000000000C42000-memory.dmp

memory/2060-22-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

memory/2060-23-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

memory/2060-24-0x0000000000D00000-0x0000000000D08000-memory.dmp

memory/2060-25-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/2060-26-0x0000000000E20000-0x0000000000E2C000-memory.dmp

memory/2060-27-0x0000000000E30000-0x0000000000E38000-memory.dmp

memory/2060-28-0x0000000000E40000-0x0000000000E4C000-memory.dmp

memory/2060-29-0x0000000000E50000-0x0000000000E5A000-memory.dmp

memory/2060-32-0x0000000001280000-0x000000000128E000-memory.dmp

memory/2060-31-0x0000000000E70000-0x0000000000E78000-memory.dmp

memory/2060-30-0x0000000000E60000-0x0000000000E6E000-memory.dmp

memory/2060-33-0x0000000001290000-0x0000000001298000-memory.dmp

memory/2060-34-0x000000001AB20000-0x000000001AB2C000-memory.dmp

memory/2060-35-0x000000001AB30000-0x000000001AB38000-memory.dmp

memory/2060-36-0x000000001AB40000-0x000000001AB4A000-memory.dmp

memory/2060-37-0x000000001AB50000-0x000000001AB5C000-memory.dmp

C:\Program Files\Windows Mail\en-US\explorer.exe

MD5 49c8ca6dcd8990e9d840ec142959abe8
SHA1 7ff8e014f01f82bab6e239bde43bd60592af90e7
SHA256 dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
SHA512 59f10d0dd41296d8d5d08ff930ad920ce5c4fe25eeee669ea0225c815f9c06e0487a6fd1f18d373a54aa16f29b37bab9f247961f31d2b2fdf706095a12c82f15

memory/1072-64-0x00000000000F0000-0x000000000045A000-memory.dmp

memory/2060-65-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

memory/1072-66-0x0000000002330000-0x0000000002342000-memory.dmp

memory/1072-67-0x00000000025A0000-0x00000000025B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1209ac36-37e6-4a45-ba91-57586b43b064.vbs

MD5 6aaf549c87d6b5c3807ebc48a1b2cd70
SHA1 37c80c036023eca44e053bf949b2d851cebe1e9e
SHA256 0e44c0b69bdf83a1629611b36fe21ce53438c3a2ea9de4e9efd5771f245d8691
SHA512 15cc1a33905b5c2d57b8cc591ec9e0b5fdca352ca7c8c0ca4b84417a93abde9d541a709573af724fb63d2651536eed8017e122439b736ec41af39a0f495756b2

C:\Users\Admin\AppData\Local\Temp\c6ddf5c4-382e-4679-b693-5ad5a78b2259.vbs

MD5 c559928a1a7d18034ee71ddaba232be6
SHA1 695d23d78e6d10760a5e7c3484816667bcb5b20f
SHA256 a56f982746d770c0d3474e0b65590918cf5c13908cc593035d6dbf1a99f921c9
SHA512 0bf63fc12c494892d6795d03c0856830241f8658a11f37ebc3c58a5ca13a632401645400c05394447f55384f338f1b2ec7b6ce01ba8bde2c9e36a65ca2c766f9

memory/1648-78-0x0000000000EC0000-0x000000000122A000-memory.dmp

memory/1648-79-0x000000001AA30000-0x000000001AA42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26542d94-f5bf-4600-b86b-53630aa76301.vbs

MD5 d75b7fede4acc6d2e28a938a837f733a
SHA1 bf089bd2c178d958908e7ee393ed012a4fc6d14a
SHA256 e2ca8914187c25ce5f6259ce25bf0ff875d3c37e040193b6746f1b16e4ef03bd
SHA512 dfcf35235ffdd55611de028b10e7b96eb8f914305cb795c3d6725600a15fd8cd44aff509aa162e837571194cae13095325069058533e25cad7e3fb428da6d906

memory/2492-91-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\711f9d38-b19d-4777-82ab-dcdbf77b4d53.vbs

MD5 44bf4ed696feefec827fd9b0e361b24a
SHA1 615adb7460a54a088a4de49de635229ff1eeab85
SHA256 103f580a5930b6215b216ff21236989dc6cf9214814841908e2d674a3cb2a0ca
SHA512 2117462777a5775330ab4793ab7e4dbf24db1e77806534ababebf837d5c915f0acb7841ba43f6b5de26c267e9d1fb87bb1ce39e7d62a59d67e04caa337b16038

memory/2340-103-0x0000000000D30000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\900897d6-dec2-4f52-b21b-7e7d9f00be85.vbs

MD5 23240f78221142c12c906f31f5c2440f
SHA1 5ca235b0343d1fe50cf92b3569271a20caf20476
SHA256 87b976f241fe1ce5292db22f6d6651d3d884d6a7f4c952030d7ea08bbbe84a95
SHA512 e568a89b0b93ff08a998880f696fe7a6df79d955198ee278997df472a0c9cc3e124e6c4b786df52eb5290b2e18f0c46981372de7bbc2a679026e6341d7e6a342

memory/2140-115-0x0000000001270000-0x00000000015DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83c8dd7c-d066-453f-88ef-e720ba62ea52.vbs

MD5 aa18fdd5509af1a4ab353e92187b9a38
SHA1 9572c1424c638d3f7634e76c13c6459d7d374f63
SHA256 68251ad2db9c74c5965c8f26e4c3534a794701e1b3e2c204eac6c075286a7886
SHA512 50eb55ab45a7854078b681af77b01e9a01a41c25f848d598ec73e233835845fd9d6991f477d34a8fc2c7b0660f504ee6fed01bfb235bd6e64f35c7f8e8d6fa1d

C:\Users\Admin\AppData\Local\Temp\583d26d2-553e-4996-9bd9-145acfae3a22.vbs

MD5 bcc4e3a351d4ca9e11c8794036503c6b
SHA1 3c2014d543b3b18d710e8593e3e1e07728392022
SHA256 c8e1b160662a621774e00c9b992faf050f4c94291c0d68c11bffb689e2549d86
SHA512 5a20997b460b4fcf26f4279e0e7cdd366ed349c1c23b8df8adacbf75df1557d305a2a2b0d712327093c8d1e7188d21d2be6ab68fcd932566f01066bdacd16c40

memory/2816-138-0x0000000000410000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c50d3256-ebdd-4e47-b48d-85ba91e7f9b6.vbs

MD5 e103ab1785ce981819ff817a453b93ee
SHA1 13b66ebcde242f056b8a79ed60900d2e4ba8bfff
SHA256 5a434c7afc04433448fc006617bcf6211b3706d953c75ff1bc80297f85cab2e6
SHA512 7d9bcaa83134ee39e8254a7a21be584ca7269a4df78dc2c8c52d3ca1a5b9909cb1e33f2c7a424978bfec9f6256fdeb283b708cc4574be686ca504b24d7e7cb81

C:\Users\Admin\AppData\Local\Temp\0aae94fb-5f5f-43cd-ae85-434a54ceb8c9.vbs

MD5 54430ef30babcab2494c3f2ee365c6b9
SHA1 8d2cae75be99dc77ba45876209d4f0bc3482e100
SHA256 9faa60e43a2c1ba493da3611c8ea62d16db6c78ce53c3f136ee54e023c0f93c8
SHA512 e8114f414d09b20ffe3ba828078aa61f98b7ed4debe201d44db1661313f01047f5b45410dc635fc480db2849b94d85a7fb5420aea529f9a774986fd321b0e821

memory/872-161-0x00000000002F0000-0x000000000065A000-memory.dmp

memory/872-162-0x00000000023F0000-0x0000000002402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5caa41f9-3b02-48bd-bc1d-c09fc1fc1676.vbs

MD5 dfddc0fb166c718334868c190829371b
SHA1 ca6721dc86d1aabe0a80d58de1dd4dbebc2e67f5
SHA256 df29547830f71cdeb761347b671d1114a5f907e97dcdbf4bce86d7f2d50d85fc
SHA512 f1dafe6a4a3983a8fc37a0b6dc1daaeca8cf5ce450adeda9ef7d63003a1f177d6222d8aa382ea42b072016516a2785aec58ad4bad09ad27d725ef0c86b49a5e4

memory/2808-174-0x0000000001070000-0x00000000013DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f6b5962-c76e-46a3-833b-e3decab666c2.vbs

MD5 d8a21aa0432cbdb01ccd36183023a3ac
SHA1 80263ccb8807c541d2f6b81eaa52aa61c8690c94
SHA256 4ecd011e65cae9348b7c3146a41d0aa432291dc9adaba541e1f13c320475b6ca
SHA512 d395c10b20870fc7e8beb71362b0f0dfe845b1ae748d9f175b60a9f5a0e3be5a2d023f8684012d35d6566ed794769a4aa83ce0bc1591d88fcee784f9643e3428

memory/1940-186-0x0000000000B70000-0x0000000000B82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fa9678d6-b217-4f9a-b995-9f258c76925d.vbs

MD5 ae7fe381331704770dca4936ae1b006d
SHA1 9ec05d4c3ede47e27add2859cbe9c057b51dc877
SHA256 bd62c8862ca2bbc111606c9d977afece75f93f120a78b7bb2bc788dcdcd74554
SHA512 036ef3b9675ceb4a583f78a12963053efc6768cdf0c8b6e4e649d087e77b4da33d29b1e17f504c71ba7d36ae5c602fd8a827cc22580c392e886e5128f34bafd0

memory/1588-198-0x00000000010F0000-0x000000000145A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8b248cb7-7129-49e0-8057-999bdd10dffd.vbs

MD5 ece56ff9c2b183b62e10e100e5ca69bd
SHA1 b6a7e1635756b7b1608a887e334e9b8eb5125e25
SHA256 5d78cae3a70e882d5510fefb67518d6263f1ba54911446f33d24a21aadef4437
SHA512 2c62ff88586d10100651a550f5188e843e687394025406ef742101bab09d224714e561d87747e637d51408a6d8378fbdcc35a1ce6e3dfe26f3a6f0f166fea2e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 19:12

Reported

2024-06-17 19:14

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\lt-LT\csrss.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\System32\lt-LT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\ModifiableWindowsApps\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\sihost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InputMethod\CHS\sysmon.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\InputMethod\CHS\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\fr-FR\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\fr-FR\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\System32\cmd.exe
PID 3476 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\System32\cmd.exe
PID 4160 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4160 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4160 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4160 wrote to memory of 432 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 432 wrote to memory of 2636 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 2636 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 4268 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 4268 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 2636 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 2792 wrote to memory of 4780 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 4780 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 4116 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 4116 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 3936 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4780 wrote to memory of 3936 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 3936 wrote to memory of 752 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3936 wrote to memory of 752 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3936 wrote to memory of 828 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3936 wrote to memory of 828 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 752 wrote to memory of 3396 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 752 wrote to memory of 3396 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 3396 wrote to memory of 3004 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3396 wrote to memory of 3004 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3396 wrote to memory of 660 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3396 wrote to memory of 660 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 756 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 3004 wrote to memory of 756 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 756 wrote to memory of 2696 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 756 wrote to memory of 2696 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 756 wrote to memory of 1808 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 756 wrote to memory of 1808 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 4948 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 2696 wrote to memory of 4948 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4948 wrote to memory of 4448 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4948 wrote to memory of 4448 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4948 wrote to memory of 3744 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4948 wrote to memory of 3744 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4448 wrote to memory of 1668 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4448 wrote to memory of 1668 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 1668 wrote to memory of 4428 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 1668 wrote to memory of 4428 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 1668 wrote to memory of 1892 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 1668 wrote to memory of 1892 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4428 wrote to memory of 760 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4428 wrote to memory of 760 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 760 wrote to memory of 4952 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 760 wrote to memory of 4952 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 760 wrote to memory of 3076 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 760 wrote to memory of 3076 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 3480 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4952 wrote to memory of 3480 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 3480 wrote to memory of 2892 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 2892 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 4360 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 4360 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 4924 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 2892 wrote to memory of 4924 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
PID 4924 wrote to memory of 4336 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 4336 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 4100 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 4100 N/A C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\lt-LT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\lt-LT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\lt-LT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHS\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHS\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHS\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oszwxQVu0d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d2dbeb-09aa-49a3-a59a-ecfff4e4687a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\487bef11-732c-4f09-9e69-0649240a98e6.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9215737a-9023-4d88-aa18-7e9311fef821.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae18a4a8-5907-4c89-b9bd-58cdf6df3e1b.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5736726-dda2-4832-958b-93c37477efa1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d556740-89c3-4adc-8a28-37f0e98806a9.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1226b7c8-4418-46b4-8cab-c1618db75b7e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f157e31f-3976-4d4c-891c-75bb183892a0.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08e0926-4a2d-4096-85a4-f134d9f24fd3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554596a3-7fc1-4d97-a2a4-bbd13d697e48.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c64f81b-31c5-4be8-90fb-76fd3b9b26c7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41625baf-b2e2-4a3f-9666-2959b704478d.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2d9cae9-f8ee-4eb7-bd9a-15059fbea596.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31b1e78c-2f01-4cf2-a1da-431a36c5e850.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77aa68ad-317e-4b7c-831c-15ca09654b1b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dc61ff7-c6d8-4be1-8b6a-f0633b81b406.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fe63248-4d99-4881-9126-9881a0c93acd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec69d267-5ed9-4429-be41-6a136ca144ad.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\013bdb00-a20c-46b6-8d04-e60e4f99ec77.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba90aebd-a530-42ad-8c8b-f7460bbec0de.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cad685b3-96e3-4f87-8572-746e651e2bd5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819759e8-32a4-4549-9213-73de3171a0ed.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3e21962-1a5b-4940-89a4-3b5f8fcd5a71.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\380c477d-03fe-40fa-b4a2-5441e9514ad6.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8774fae-d3cb-41f0-808b-fe7e63a6a2d8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8efb27a-0258-4d3b-bbe0-fb3322896504.vbs"

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c59b8a9e-fdbc-4509-a0ec-b582387f1fdb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1587e45b-60d3-4300-9cf2-be73405f3cd9.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 a0993445.xsph.ru udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 93.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp

Files

memory/3476-0-0x00007FFD17AF0000-0x00007FFD17CE5000-memory.dmp

memory/3476-1-0x00000000005E0000-0x000000000094A000-memory.dmp

memory/3476-2-0x00007FFD17AF0000-0x00007FFD17CE5000-memory.dmp

memory/3476-3-0x0000000002B30000-0x0000000002B3E000-memory.dmp

memory/3476-4-0x000000001BB70000-0x000000001BB7E000-memory.dmp

memory/3476-5-0x000000001BB80000-0x000000001BB88000-memory.dmp

memory/3476-6-0x000000001BB90000-0x000000001BBAC000-memory.dmp

memory/3476-7-0x000000001BC00000-0x000000001BC50000-memory.dmp

memory/3476-9-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

memory/3476-8-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

memory/3476-10-0x000000001BBD0000-0x000000001BBE6000-memory.dmp

memory/3476-11-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

memory/3476-12-0x000000001BC50000-0x000000001BC62000-memory.dmp

memory/3476-13-0x000000001BD70000-0x000000001BD7C000-memory.dmp

memory/3476-14-0x000000001BD60000-0x000000001BD68000-memory.dmp

memory/3476-15-0x000000001BD80000-0x000000001BD90000-memory.dmp

memory/3476-17-0x000000001BDA0000-0x000000001BDF6000-memory.dmp

memory/3476-16-0x000000001BD90000-0x000000001BD9A000-memory.dmp

memory/3476-18-0x000000001BDF0000-0x000000001BDFC000-memory.dmp

memory/3476-19-0x000000001BE00000-0x000000001BE08000-memory.dmp

memory/3476-20-0x000000001BE10000-0x000000001BE1C000-memory.dmp

memory/3476-21-0x000000001BE20000-0x000000001BE28000-memory.dmp

memory/3476-22-0x000000001BE30000-0x000000001BE42000-memory.dmp

memory/3476-23-0x000000001C390000-0x000000001C8B8000-memory.dmp

memory/3476-24-0x000000001BE60000-0x000000001BE6C000-memory.dmp

memory/3476-25-0x000000001BE70000-0x000000001BE7C000-memory.dmp

memory/3476-26-0x000000001BE80000-0x000000001BE88000-memory.dmp

memory/3476-27-0x000000001BE90000-0x000000001BE9C000-memory.dmp

memory/3476-28-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

memory/3476-29-0x000000001C120000-0x000000001C128000-memory.dmp

memory/3476-30-0x000000001BFB0000-0x000000001BFBC000-memory.dmp

memory/3476-34-0x000000001C0F0000-0x000000001C0FE000-memory.dmp

memory/3476-33-0x000000001C0E0000-0x000000001C0E8000-memory.dmp

memory/3476-37-0x000000001C130000-0x000000001C138000-memory.dmp

memory/3476-39-0x000000001C150000-0x000000001C15C000-memory.dmp

memory/3476-38-0x000000001C140000-0x000000001C14A000-memory.dmp

memory/3476-36-0x000000001C110000-0x000000001C11C000-memory.dmp

memory/3476-35-0x000000001C100000-0x000000001C108000-memory.dmp

memory/3476-32-0x000000001C0D0000-0x000000001C0DE000-memory.dmp

memory/3476-31-0x000000001BFC0000-0x000000001BFCA000-memory.dmp

C:\Windows\fr-FR\fontdrvhost.exe

MD5 49c8ca6dcd8990e9d840ec142959abe8
SHA1 7ff8e014f01f82bab6e239bde43bd60592af90e7
SHA256 dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
SHA512 59f10d0dd41296d8d5d08ff930ad920ce5c4fe25eeee669ea0225c815f9c06e0487a6fd1f18d373a54aa16f29b37bab9f247961f31d2b2fdf706095a12c82f15

C:\Users\Admin\AppData\Local\Temp\oszwxQVu0d.bat

MD5 d773862ae789a591c36eca7ee2ccfd13
SHA1 658a276d1c746a86300114593fea89773bcfd17d
SHA256 0d88195ee10c44ea57a032ea187050b210f5aff17047ac210cbab0a95897eee0
SHA512 a9a44ad76ead7fdcf803f62dcf45c1c6b6e241a5dd3851e3700eb85b32e7b3ea11626efd1266207bc4fc2297efd93a4dc9b84a884cb7e73c34bc335f27043084

memory/3476-72-0x00007FFD17AF0000-0x00007FFD17CE5000-memory.dmp

memory/432-76-0x000000001D7D0000-0x000000001D7E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5d2dbeb-09aa-49a3-a59a-ecfff4e4687a.vbs

MD5 68ec25789561ba518720f9c731e92789
SHA1 e18b46302d142772998f24181cf4d484f0e079be
SHA256 db9ca796da28297b999020c43da1077a686692ee8343e2b895ab0d94ae6c5e2b
SHA512 5f0c7e266aa857c5b1ed4e9d1859157537adb07fccd75338a34d09f7756b661dc8848df9d1ee4bbfa3d0d10617ab02f1c123246f363d03ea7141e7d798c1d681

C:\Users\Admin\AppData\Local\Temp\487bef11-732c-4f09-9e69-0649240a98e6.vbs

MD5 cadbc7b461619f8896f4189dd6068d09
SHA1 5ae148e0c07aa9ba3f16c9df3d2db6f75eeb94fb
SHA256 e15d007261325a4115ae0dbb7a441f6a04a141da893ea4b7e853200afe268b5b
SHA512 fb150496fe672b98ae6466fd82215fbef1dbfb2d9b19ebdb707f429351fd817bbc7125b99dd3c6654fad26ac1943166e167d2e57d039ff58307d8151010d1260

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\9215737a-9023-4d88-aa18-7e9311fef821.vbs

MD5 9729488a219255faaca0e1d52bf0ab85
SHA1 7849ffc52c27e7a6f3a2ce08f166dba85ca1183d
SHA256 5939b58205a613e84317c86ced8d536ebeea6dfdd2f84a39a46cbba5575e5363
SHA512 b4dd6e62177ed077e0d12f9f791960798561cbb0b23fa679bc247815fe4b5af3f54b93ac69e2fe68084725540b453aeda3a65605deed7db688f13398dd1891b5

memory/3936-100-0x000000001D600000-0x000000001D612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f5736726-dda2-4832-958b-93c37477efa1.vbs

MD5 81401d0efb8e773132946326ef0a1b66
SHA1 5ef8c3544bdfb4ed783690e26d3cadbd094c60f3
SHA256 cd5a9aa1431174825d43713f0de46f7cbe93e96c282c8fe0568b98a3da1ca355
SHA512 2831a804c64bdc29dfe69e6bbdf95247fce11c10b8cca5093d60267861091cfaeaafcc71f0f7b683b89fdb6f25da0a40fe325fbfa84b9d5eb07cdd4a1ecb6dce

memory/3396-112-0x000000001BF20000-0x000000001BF32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1226b7c8-4418-46b4-8cab-c1618db75b7e.vbs

MD5 2ae9504d1e16914b8a5827e2fd7ff196
SHA1 0848900d0abe48c6dce57e2ab1699aef064d2187
SHA256 2cac320902dfb988660c49d2354f2f997dac6390aa7b55e1890aa488841f96f6
SHA512 28130f771fcb1eeef2fc096d26029eec31b044219e7e5f9f196bf5d380afd6d1a24779a0c60620aa895df41ea0e329bcd7d4ba240030555f24a0450df74296d0

memory/756-124-0x000000001CFD0000-0x000000001CFE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c08e0926-4a2d-4096-85a4-f134d9f24fd3.vbs

MD5 b4e8a50a97bf3101cf935abea50cbaaf
SHA1 72f225abcb4d250335a3554e1249181a33ebd80b
SHA256 802f38a2d084bbf4c53d3001034d5355efacf095fddb1ec1371a576ce41a98d2
SHA512 c3690af332a545722f661f06f4d6ec9de6379fb849707fccbd7e8914b2aa07d4710b009fbbfc8ba890e3b23cc349a867d2d869ab6ee2b85087419c0c4fd57f95

C:\Users\Admin\AppData\Local\Temp\6c64f81b-31c5-4be8-90fb-76fd3b9b26c7.vbs

MD5 4684951d16a9f419a9ab3dc3aa1d88de
SHA1 1769f0f9dbbbdbf0e70e7d700914151db920ae9d
SHA256 1809f4ab50af45e1f9dbbf479e34f48b58c87ce765cf551fdf0916cad4947834
SHA512 5ef54e5fa23a5e833b0619275825c0b081211c869da36629568d6156ab197bf98b99795166f1c8aeeaa7ab7c3acf3ed67f73755aa7c7dbe6757dcd878288aeaa

memory/1668-147-0x000000001D230000-0x000000001D242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2d9cae9-f8ee-4eb7-bd9a-15059fbea596.vbs

MD5 a2013235564b5718ea55f42e3e19bbbb
SHA1 fc018f00344cde0dcc5c85253759aff8b4bd9ff9
SHA256 d3749363d2720dd8ab85bcccf411e9cbda95aee69655d2558d15040772ed5247
SHA512 318db5b76392e22cc678396c1875881d38dd138b92ef60226bf860482c52a5ac5cd9b27403906e4eacbfc8c3e6ad59ebb5d7b18953fbe56e4ed5b939df4013b9

memory/760-159-0x000000001D1E0000-0x000000001D1F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77aa68ad-317e-4b7c-831c-15ca09654b1b.vbs

MD5 556c54ea1a74d7d4d4cbe78ffb29772a
SHA1 cbf068994eb62c0a46505cb99dffb1d479063920
SHA256 e933c407e594a3cf52606e6de98618216e32f0166af32a1046b9446f8035d863
SHA512 11e851e1865ee2310641aeaf2eca3d04d9150f0c0dd40d4b25c8bb1c70ca12dcdddb9b379e9f0a0fcf3c0e01276bf7678ca26389fcfe524ab69a26dc13f86fbb

C:\Users\Admin\AppData\Local\Temp\5fe63248-4d99-4881-9126-9881a0c93acd.vbs

MD5 e1906f096bd270f5ec3c53c62942ae3c
SHA1 f039d32b8d76480af740601b3058c62d32014feb
SHA256 d27c2f19fb6a9e8e074291109ead23b27f20482d52088b8a9b376654a5276cc3
SHA512 f92e04b528428b7690db61504b655ddcc3b9077e6b95be5a2e372987b65494c0a7e2c717395e8a7d713a2b4063271778b7c844805ec26ecdad604f5719ded1b3

C:\Users\Admin\AppData\Local\Temp\013bdb00-a20c-46b6-8d04-e60e4f99ec77.vbs

MD5 b3c3bb35c6bc2597d39af878563eb009
SHA1 fc5d72f09a8405644433ddb24ba74648541f34d5
SHA256 bc3097c3c69e0c3edfb50dfdac920cc5961f3e9b8f8e764f1baf405928ea1b03
SHA512 7feccc7836675bf3d3342000d79bdfead913af8945a36caf329bae95ad2b3bb304d69678f3f8458d7856d36e8624906514598b435883b12b731eafed3567e4c9

C:\Users\Admin\AppData\Local\Temp\cad685b3-96e3-4f87-8572-746e651e2bd5.vbs

MD5 8756805b17be81d51bc3f29432dfd5ad
SHA1 941469f565d6a9090c520ec7dba2ac79f9e3e517
SHA256 1e2074d746462945ebda01568069711210ddd25fe28212bcb992b3ebf289393e
SHA512 c03bb4f70993cfb82af5f1b0261fd46f638d9efff96186fdd7f4e17c16fa2b18c71fc7cc9051927c5ed3cc4ebcdf5438687217cbcd586865a79b519f4af58720

memory/4228-204-0x000000001BF70000-0x000000001BF82000-memory.dmp

memory/4228-205-0x000000001BFB0000-0x000000001C006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3bccf458eb716470c7d4dbbf751eae02ff39a387.exe

MD5 1f86e2bc8a32600bb544df09f2153d2a
SHA1 3489acad5429fe77a6051f706fb64671fb6b8c6b
SHA256 aac7ebcec9c557f8f9f028bcd0567c34e093dfa00a48a82e1af5ecbcd6cfc2ba
SHA512 28c2f58f5a673c06d9ac29e075b130ef1e90b20a917c67402b0c25de5837bead3d616685423e3f91854b26f30821f75ba949e6ab25302a8ceb1b25770ea308c3

C:\Users\Admin\AppData\Local\Temp\b3e21962-1a5b-4940-89a4-3b5f8fcd5a71.vbs

MD5 9fa8907add69c5501b3424f9595dcd77
SHA1 ae1d8b1464dd8faea0bfbbc45b5330a52ae49a7c
SHA256 0c0be88bb6ea8fd90091324519ad1403e486d02e8f2e8f2fc18757d43a045155
SHA512 4be485e32528bdde2dbeb8fd1d085aff826d58d29a39f1f44606557472843c86d998f523a0156dbd49661afc8d6d19b3c0ee55230f5d955ed23e8bd5a9cc6b47

C:\Users\Admin\AppData\Local\Temp\d8774fae-d3cb-41f0-808b-fe7e63a6a2d8.vbs

MD5 298c7d92335ee5afb8ec7662e7e2243b
SHA1 623e34cd1cacba1ed7f9771b75c1bfc0439baff7
SHA256 f30a31570425a1fa65cedc795ee9671e2b261b0d21aeabe9fb922d3916003c3a
SHA512 114ceee9d79d4ff8fba1c08d894fdae790e5cf211fd5dd2b272b3790d607199dd70438b35c24597318cc3500c3bda3ed829bddf203db8eca9fb026f1c72ee319

C:\Users\Admin\AppData\Local\Temp\c59b8a9e-fdbc-4509-a0ec-b582387f1fdb.vbs

MD5 83aa3c09841272b89f4b40af017ece4b
SHA1 e506252aaade2b6ab0d196d483e0e63c5842411b
SHA256 96d0545cfe491c70a0adb9b7a3c9af06f6835a191e83f346fa51c0d5ece2c4ef
SHA512 f20e7a6ce550d10a3ea74293ff93e30d958e0381fba6c5e6f9c3f47f9ef992c9c392526e1f4e82d4faaa7eb16cb0adc8fca705b9f37eb180ec6fdf1100f94148