Analysis Overview
SHA256
a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294
Threat Level: Known bad
The file a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Colibri Loader
UAC bypass
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System policy modification
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 01:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 01:18
Reported
2024-10-13 01:20
Platform
win7-20240729-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
"C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7f58ca-dc68-447f-9103-d05d065cfe35.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a182efa-0637-4cf1-8361-f225337a407d.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fc57b2a-d2a5-4494-965d-320629cfe322.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23117cd7-d2d0-4f88-982d-f8a8398bfd9e.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9347a5bf-f3e2-4c4f-a182-1dc5676b21c2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\150f3990-f344-47ea-9e19-41cce1e7eb0e.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe8f8c7-aef6-404d-8b20-a3cda7e2e660.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0026df66-dfc9-422b-84ca-d8d2a04c80c9.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6757d11-631c-4204-bee6-c500f6e4278f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e969bc7-9b85-4457-a840-3dd9b8a5375d.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d6e7e3e-da0f-420c-8543-8780341779b2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec908b77-b75e-4070-b487-d2ef43220fe9.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\649c4afc-3449-410f-bd46-c6abd109ea8c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\439d810d-44eb-491b-9a49-dc22b1611cdf.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198eeaed-939d-461b-9944-fbbd460055a6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf3e1ee-5cc5-461f-801b-44509f856c4b.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c116cfa9-fc5e-4ceb-86fb-93df5d5b6b21.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb35d466-91cb-4355-83ad-85466a680463.vbs"
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b78b63f7-a462-4d3e-808f-715754bc87c1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cddd0145-49b6-467c-a691-3c77d164eb36.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81888.cllt.nyashteam.ru | udp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
Files
memory/2652-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp
memory/2652-1-0x0000000001350000-0x0000000001844000-memory.dmp
memory/2652-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
memory/2652-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp
memory/2652-4-0x0000000000290000-0x00000000002AC000-memory.dmp
memory/2652-5-0x00000000002B0000-0x00000000002B8000-memory.dmp
memory/2652-6-0x00000000005C0000-0x00000000005D0000-memory.dmp
memory/2652-7-0x00000000005D0000-0x00000000005E6000-memory.dmp
memory/2652-8-0x0000000000800000-0x0000000000810000-memory.dmp
memory/2652-9-0x0000000000810000-0x000000000081A000-memory.dmp
memory/2652-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
memory/2652-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp
memory/2652-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp
memory/2652-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp
memory/2652-14-0x0000000000B00000-0x0000000000B08000-memory.dmp
memory/2652-15-0x0000000000B10000-0x0000000000B18000-memory.dmp
memory/2652-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
| MD5 | 28feb5efaafa67cef60ea0228eaaad26 |
| SHA1 | 11f07fa02dad31c4209461451386796085235e66 |
| SHA256 | a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294 |
| SHA512 | 0c3b5d70c06d01d0124bddadf15ee6df3a787a77eb786fe6438587ecc87291de0e3b5b1d5102f5228e6a944e88251b3bf4b584c236cda6d5c1cb947739a6be6c |
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe
| MD5 | df6dafb7a350443e244b1d4902bd1aec |
| SHA1 | 3258fb76addf7fa4d9f83b8b166b3fda16ac7bf9 |
| SHA256 | 4af8a55dfbd9bf011aeb38f30fe537a9317a6d7f975dcb8f91e3afb59c33d261 |
| SHA512 | f41cea335ae1faf199a5092bb8c027a6dd6fd5419633ca277824f2003aa6513d232fe76117d664e9aa349922f6a7fa6f3c4c88321083efb3fe40679cdfaff086 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 1b95fefa3fdd2e8563f00f6c87653e8b |
| SHA1 | cdcfc126b61c3375efe6a70212caaec2bde6c9c2 |
| SHA256 | 0c1857c3e494932a38f536cb35007e64bc9830ce098e15936efa5aafcbcfc536 |
| SHA512 | 690cf1742a0b96b66f285885e17fcc9f595b61e907644bac06f96ce62b55ffef4aa5ad35efebca8b77d43891f1e3f21d4af48b1c0e3845d13b530f109505ab10 |
memory/2396-92-0x0000000001D00000-0x0000000001D08000-memory.dmp
memory/2396-91-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/112-111-0x0000000000CD0000-0x00000000011C4000-memory.dmp
memory/2652-117-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/112-144-0x0000000000600000-0x0000000000612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0f7f58ca-dc68-447f-9103-d05d065cfe35.vbs
| MD5 | c5892f4857f5603438969b1e439be955 |
| SHA1 | 50fa0665cb2487236fc9e7e704c1d8290b487d14 |
| SHA256 | 245049eee694021894b91dd01410011c55d6f4df490c19a92984e4625a892cb6 |
| SHA512 | d93cb88f661639419001e22bebd47dab7ea7f07524c565f24771bea79ef7fdff9779fdbbd0f2a519c5236824dcad3793dbd61ff8a92eb418bff78971d61b3a26 |
C:\Users\Admin\AppData\Local\Temp\6a182efa-0637-4cf1-8361-f225337a407d.vbs
| MD5 | 2e483b6b9d866c6955ae28e48bda701a |
| SHA1 | a7e53e4e6031d3ced592de04b717b8ace48a8297 |
| SHA256 | f46f7eee8b31cad8a57760e2f4376ad5bb1cd1b3d3c7f7390506a590f5b9185b |
| SHA512 | f9272f8a76e1cdf227de79314e0d86150cafd97033fe208af5f6d0776005b5e17e2f1a8e4189e84ffc34f715df3e4036f1679b25de6b5ffd3b3e37816c0f304c |
C:\Users\Admin\AppData\Local\Temp\tmp1C66.tmp.exe
| MD5 | e0a68b98992c1699876f818a22b5b907 |
| SHA1 | d41e8ad8ba51217eb0340f8f69629ccb474484d0 |
| SHA256 | 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f |
| SHA512 | 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2 |
memory/1592-158-0x0000000000410000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7fc57b2a-d2a5-4494-965d-320629cfe322.vbs
| MD5 | 43f3b0ee712596a052d027561030493d |
| SHA1 | 66336dd4e5bbd775e9ce01980ea77a9e37a325ea |
| SHA256 | a55c0194cfbddd867cf5ebd9636b02beb9239a9b04a44dd1d891f624dd2cb819 |
| SHA512 | bd29440b1d041c55b0c46725b2d7e39060fcf9225a52979bc4f5db492fb3618c9ab2c5376a0ac3771a913642283076739deccba8769dac13417a2c7a7b503b59 |
memory/2276-173-0x0000000001340000-0x0000000001834000-memory.dmp
memory/2276-174-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9347a5bf-f3e2-4c4f-a182-1dc5676b21c2.vbs
| MD5 | 64921cfbcc88783c2fd4981d63ee059a |
| SHA1 | 78056bf0b47bd7a59ba0a2f2468cfeeb98b0e41f |
| SHA256 | a74b2678eddead94fcce0cbd9844c9168cb99bba7198890df7e05d82d0deb12e |
| SHA512 | ce4f5372fa7779c887960b428b58b3bf6e7ef104e9ce3a053e28a78f7f9db089f3ef86dc82839c53e6f201c5d6fa84209cd39a5497ede16a55a95a74497f9449 |
C:\Users\Admin\AppData\Local\Temp\4fe8f8c7-aef6-404d-8b20-a3cda7e2e660.vbs
| MD5 | 12c59d9603be25ede6472b6e754357d4 |
| SHA1 | de80db6ca6c0859d514a4345c4694e6123087d09 |
| SHA256 | e2dbe49fdd2298280c74a98ae46a1bf43b7b7593c69053649ead3f70e117f0f5 |
| SHA512 | 883368567db887d9fe4859deb29dec39913afa31dab21d1a7e9f336cb199d361b3cfb04f32a7eef9b97969ffe1849700bff3b81acbf6a83e8df092a7cdc7c65a |
C:\Users\Admin\AppData\Local\Temp\c6757d11-631c-4204-bee6-c500f6e4278f.vbs
| MD5 | c7916800408bb8f14e172e9fbc203149 |
| SHA1 | aec24609108f6bc6fa8a98519a8fe2107ceb97ff |
| SHA256 | 0d73124545c2068266459fc91a85f644ba832311901f4499d5a6907cf2e638b4 |
| SHA512 | c54157eb5a46510319d8bbe10ac520a35bc31e43f5ad773b7212a0a9578f754ad8cb668002f01ff59a4e6172b4ffd0fea0920c6359cd076dbb2de2a90a0597bc |
memory/2272-217-0x0000000000200000-0x00000000006F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2d6e7e3e-da0f-420c-8543-8780341779b2.vbs
| MD5 | bc5be9ba7ee713b14e109cf190614ed4 |
| SHA1 | 8a8b8b7af7707aee9eb66f4f6bc6e94caf878330 |
| SHA256 | 470cccf3c226c75b95f9f40eaa6e7a1c6fb986a9d87761c5dc96a0caf6ef3283 |
| SHA512 | 53fbf8dfa8d2112ca49bd763ca5de2a95a7beaeca33abf75d09501c24993582dc590a26ad350c429b76f7496ca34d5982bffbc30b6964a4ca2d2ca48bbaa5d80 |
memory/2808-232-0x0000000000E10000-0x0000000001304000-memory.dmp
memory/2808-233-0x0000000000B40000-0x0000000000B52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\649c4afc-3449-410f-bd46-c6abd109ea8c.vbs
| MD5 | 1564aa05f49ae2087ba70a5999daaf1f |
| SHA1 | 9a02b469b813397b3db7df4b8d4ddc568e48a5f6 |
| SHA256 | f7d75eeb6a0764fddaf3bb498f20fcb1777678d476047a116244658ec88aa5e7 |
| SHA512 | c599adc64af771c881ca9a0b88a75dc5bbdf12da0f666d3d1ac2d3c66375667091f8f09d9574d05c41c4125030d9b5f4e476d1adbaee01cb4a90889f2e211b7b |
memory/2976-248-0x00000000011D0000-0x00000000016C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\198eeaed-939d-461b-9944-fbbd460055a6.vbs
| MD5 | 1a011cc7f3c6ddbb10ca348301623249 |
| SHA1 | 6e408125f02eaf09273633a8ee6ad628144e9e60 |
| SHA256 | 07dc8c2b39fa8085127dc6c636ee9360c60075fc03b94ff3b4fd1384193d9d9b |
| SHA512 | 098d366e6d3713dc972a57342e30d9454d1f2bb508041591d6160c48931ae02476bf3600a1073930037e605f5da5a037ed110d8161544896cf43aaeceeb6307f |
memory/2388-263-0x0000000000A30000-0x0000000000A42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c116cfa9-fc5e-4ceb-86fb-93df5d5b6b21.vbs
| MD5 | 2c33a2ef456867a4b968c75c727abe91 |
| SHA1 | 2cee344b963605257f46d941199a1627b0b76cbc |
| SHA256 | 26a5ab18da6b5c6c889fecb535637f498a7bf0c4f14c4d52fe15affbed1a2ba1 |
| SHA512 | 3ec013051aa3b7811aa5ade5f14fd0103ba9117252486207162a667542d16eebd64c7695c62a0950377fbcafc8fc4c64d680e10f6a422fe4479693c5a583c7d4 |
memory/1948-278-0x0000000000390000-0x0000000000884000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b78b63f7-a462-4d3e-808f-715754bc87c1.vbs
| MD5 | e91481d8ab8061d5b445ee1707363d45 |
| SHA1 | f35a8751a248507ed89f15fe938eafeb2cde239b |
| SHA256 | 7d73b955c461e83ed4a721d9c2db248c5d68905644afca260514bf8a303e55da |
| SHA512 | f3f7d49d1389e4e4737b153961599f14120b5626131dc6f8623a848f445741ddd9ae82355f1cbd14335634657208eb9d04734483b0bb930b21e56c829239b36d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 01:18
Reported
2024-10-13 01:20
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Colibri Loader
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
Executes dropped EXE
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\StartMenuExperienceHost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
"C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\fr-FR\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd8ee7e-526b-4875-ad88-54693d0a91df.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977bc7e1-bb30-4df8-8ec8-44fbb38c4fdb.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7cd0a48-3d56-498b-8e45-b3be20997168.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6b1534e-08bb-4848-aeb5-5bee2fc80a4e.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4630d9b6-cfc1-455f-b2d6-563d47f12c86.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb44d336-9099-4498-b5d1-a48f7c4b50e9.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\677c86e3-528a-4a57-8f96-6cc47b4e014d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\960f67c4-1770-4c94-9720-deb81304ef86.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed63c738-24d7-44fd-b570-7a806c716aa9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06b19597-01f9-4cdf-a793-762e18e05b3e.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edfec621-3d19-4b90-9481-766f9b256f20.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f517509d-e4c6-4bfd-b4ed-0a17560d5a0b.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77091d81-de8a-4520-b10a-086076354dcd.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1341083a-c021-4032-b2c1-dc9ac18b9385.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1002242-b536-4112-ac78-472bb0f633f6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98401a2a-653b-4b90-8283-201663f85b69.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cb432a7-c6da-4387-9094-43c907fe0db7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4460514a-132a-42dc-b728-09defded5742.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e681a839-f0af-4025-922f-c04fe172d39f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2bf037-dc6b-49c0-9e72-aa676ab6012c.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f176916-4f6d-4670-9b9e-2367839e7ef3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5029bf7-7c24-4ce2-8d73-b1cb886afcf6.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5b9e875-131a-4d62-9fee-774b5e90c7f9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\736d1140-784a-4f27-9585-4a652facdf2c.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f03772fd-4949-4101-8656-a16326278ec2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\859d5ae5-3f27-4fd7-88ca-12dc8c97f5ea.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe"
C:\Program Files\Windows Security\StartMenuExperienceHost.exe
"C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4b055cb-9762-402b-a3b8-3ca3b6f3157a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a4532de-a74a-4c50-a5f6-399ce858202f.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 81888.cllt.nyashteam.ru | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | 8.2.21.104.in-addr.arpa | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
Files
memory/2724-0-0x00007FFC9E2B3000-0x00007FFC9E2B5000-memory.dmp
memory/2724-1-0x0000000000A50000-0x0000000000F44000-memory.dmp
memory/2724-2-0x000000001BE00000-0x000000001BF2E000-memory.dmp
memory/2724-3-0x00007FFC9E2B0000-0x00007FFC9ED71000-memory.dmp
memory/2724-4-0x00000000030A0000-0x00000000030BC000-memory.dmp
memory/2724-5-0x0000000003220000-0x0000000003270000-memory.dmp
memory/2724-7-0x00000000031D0000-0x00000000031E0000-memory.dmp
memory/2724-9-0x0000000003200000-0x0000000003210000-memory.dmp
memory/2724-8-0x00000000031E0000-0x00000000031F6000-memory.dmp
memory/2724-6-0x0000000002FF0000-0x0000000002FF8000-memory.dmp
memory/2724-10-0x0000000003210000-0x000000000321A000-memory.dmp
memory/2724-11-0x000000001BD50000-0x000000001BD62000-memory.dmp
memory/2724-12-0x000000001CA60000-0x000000001CF88000-memory.dmp
memory/2724-13-0x000000001BD60000-0x000000001BD6A000-memory.dmp
memory/2724-14-0x000000001BD70000-0x000000001BD7E000-memory.dmp
memory/2724-15-0x000000001BD80000-0x000000001BD8E000-memory.dmp
memory/2724-16-0x000000001BD90000-0x000000001BD98000-memory.dmp
memory/2724-17-0x000000001BDA0000-0x000000001BDA8000-memory.dmp
memory/2724-18-0x000000001BDB0000-0x000000001BDBC000-memory.dmp
C:\Program Files\Common Files\System\fr-FR\Idle.exe
| MD5 | 28feb5efaafa67cef60ea0228eaaad26 |
| SHA1 | 11f07fa02dad31c4209461451386796085235e66 |
| SHA256 | a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294 |
| SHA512 | 0c3b5d70c06d01d0124bddadf15ee6df3a787a77eb786fe6438587ecc87291de0e3b5b1d5102f5228e6a944e88251b3bf4b584c236cda6d5c1cb947739a6be6c |
C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe
| MD5 | e0a68b98992c1699876f818a22b5b907 |
| SHA1 | d41e8ad8ba51217eb0340f8f69629ccb474484d0 |
| SHA256 | 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f |
| SHA512 | 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2 |
memory/1252-86-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Program Files\Windows Security\RCXEFEB.tmp
| MD5 | fc3d3330bba09040a4f336fb5d7fb17a |
| SHA1 | 0ab1bfe3649db1109197b6a619b91bfb6d77fee4 |
| SHA256 | 66a4537a7f5892f30287dd78d2d22ce3b0d312d4c6f8b996c7b3f6762b8c981f |
| SHA512 | 019f5444fe85d22b9868cd63fcf6c75b47b942e7040d015dbf281e85c2ec2146b92e0c4cda11185e7a538637ebe89876434ea58be3df9496c27dd075fd380e9e |
memory/2724-146-0x00007FFC9E2B3000-0x00007FFC9E2B5000-memory.dmp
memory/2724-161-0x00007FFC9E2B0000-0x00007FFC9ED71000-memory.dmp
C:\Program Files\Crashpad\TextInputHost.exe
| MD5 | a4a27b58a4cc61da3cb68c8269bd7ba5 |
| SHA1 | 1d2fc974209ae251e7ab1599fe04c32bc3df8559 |
| SHA256 | f04c187aeffb7e7ede15ea2d8bc371bbf8fb4f8931982e11262b8793aa39cb68 |
| SHA512 | dd4ba7deda5da39d7ccec5b19eca52cfcd9df9850cd2561ae1a7b38a70b92fdc6a7311d8015db255935d79fb58ecc5e4171e5e24efc40196a01b3b4404590ac0 |
memory/4864-236-0x000001D10E1E0000-0x000001D10E202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc0ly4ko.adt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2724-342-0x00007FFC9E2B0000-0x00007FFC9ED71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Temp\9dd8ee7e-526b-4875-ad88-54693d0a91df.vbs
| MD5 | a561c9144b7f01eb24fc36b462fafae7 |
| SHA1 | 0a9ddfbe54808595c6d7fa7477092276118b7d60 |
| SHA256 | 9046c534236c0a1f79d603d2869ae9dee869b13307ee485b5638c081f5432fd1 |
| SHA512 | ae6b8b75e8a25deef5644410af659497e0ed24dc1e829a3c66b35559744c3d45b027833b001f954e6388157d35e6ce8834083a65b9cad29d62b0a25e7ee1afdd |
C:\Users\Admin\AppData\Local\Temp\977bc7e1-bb30-4df8-8ec8-44fbb38c4fdb.vbs
| MD5 | 1a8ca627414030509e33bb6e0a11931d |
| SHA1 | 3b07518e903988c8c5e8361a4841c0fe66666db9 |
| SHA256 | d75eb018233894b22f66f7f4f4b4352554a45f9f9964b477c3481011f9bb08c7 |
| SHA512 | 0abd255f78d9b9b217c53a3fb21773b3504785b17ed6507924fd0828c3cba624936dad3aa0b747000342df85221a3fd5189910ace78baa50e6f96ec42be54e85 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log
| MD5 | 4a667f150a4d1d02f53a9f24d89d53d1 |
| SHA1 | 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97 |
| SHA256 | 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd |
| SHA512 | 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8 |
C:\Users\Admin\AppData\Local\Temp\6d889a504b94b3ba7ef7a4a7021d9bf827218cb1.exe
| MD5 | 242b580afd1cf06e03e38cf554d52335 |
| SHA1 | 40dfce08976261d4bf6046399eb22d51c5745bca |
| SHA256 | 698070e3219eba0cc5d9b94a67618478e642e179ab5aca28ab70a596b8e0cb49 |
| SHA512 | 332ce55dee7031544f06cd35f6c36366169264ef70e104a97a17ce041a3727a6eb23a60dc659fa68469f7a7b2069884db01250390229d5ba887ec0ca3d945183 |
C:\Users\Admin\AppData\Local\Temp\b7cd0a48-3d56-498b-8e45-b3be20997168.vbs
| MD5 | 08f6df074af8f46c8e242f4f99b89fdd |
| SHA1 | 4fdb1b3d870606e5005d857376903bd7e66b9706 |
| SHA256 | 1ab91113b25a448a5e5411f906eb0d79510b53b49057452b34f5ec43b52ecd36 |
| SHA512 | 4bace21ce205f65440ad7b6257967eb139669a1bb55b5790517756c4f923e16c99090e708333e23c83138aa4d83ad40ce69525154d8ea9a14aef728cb93f0e21 |
C:\Users\Admin\AppData\Local\Temp\4630d9b6-cfc1-455f-b2d6-563d47f12c86.vbs
| MD5 | d5f7d138798785b3b68a0e9f212f6d82 |
| SHA1 | 60f88abc3de1cb7c4c131e2fe0b8356d3d26724b |
| SHA256 | 6dcf2cafe2df52d2ce40340392cccaaabd5a6d5fa80b474958952f2b90bb557a |
| SHA512 | cc24c794b70201bba7a38bde077be170f870e04d40e85bb16ecf2a065e6f2aa8bef6e19d78e9b229bddf76db8f1c90e86710d8fbad5f66a5de998e3722e34dd7 |
C:\Users\Admin\AppData\Local\Temp\677c86e3-528a-4a57-8f96-6cc47b4e014d.vbs
| MD5 | da869193a79f6938359c4f210967abe8 |
| SHA1 | 4db24d90c1fc3eefa174dfcab5c40cf28b9168ff |
| SHA256 | 98f2f5fc2afb65aa2658dbaddd3fa32c37cc7008f265dea493e38dcf68d0d280 |
| SHA512 | 18418faf384a4895e70e69401037c8b29e547872787ee40f3931be10a5c0dcb04118a39edeaa22b9ed8eb2befce2296f5971b6aa4510a43d12463ff5ceca9e87 |
C:\Users\Admin\AppData\Local\Temp\edfec621-3d19-4b90-9481-766f9b256f20.vbs
| MD5 | 3923d1962917fc848c8e833f24577ad2 |
| SHA1 | 459a72c1845ed6fedd70c413005bbaff891ecd96 |
| SHA256 | 0b51850e0e9eca16d526f23aa5a1c045e0ad54c17174e5f75c3c38624fd64774 |
| SHA512 | 9b51eb8d1b37663aa96a58db68d23bb02312aea2ed7e07f7c9266693dc59d2ce92baf73ca87d4e8d74b24bff07e9ac25098f514338304e698c3165330ef9c825 |
C:\Users\Admin\AppData\Local\Temp\77091d81-de8a-4520-b10a-086076354dcd.vbs
| MD5 | c449c75ad42f2b3c118baf0e33cbb131 |
| SHA1 | 74f3720856380b1d8c00943726fd503b90470466 |
| SHA256 | 8fcd69ddc62ea9a892b6f93ff01271b821a328f034da61c2008d87b71504c878 |
| SHA512 | d99ad01de73bed1e2c8d0e36afe30ce714ebae20a4d72fa9e7af19e6c1c972f4de9a2f79defece42f24541ad5c87523e7b0e31a260275fe9de1645b67c3500c2 |