Analysis Overview
SHA256
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce
Threat Level: Known bad
The file b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Colibri family
DcRat
UAC bypass
Colibri Loader
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
System policy modification
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 11:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 11:38
Reported
2024-11-16 11:40
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\en-US\RCXEE1B.tmp | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\en-US\dad904908931ce | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Synchronization Services\RCXE783.tmp | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXF4A4.tmp | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\RCXF8BB.tmp | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\6cb0b6c459d5d3 | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\6cb0b6c459d5d3 | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\tracing\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File created | C:\Windows\tracing\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Windows\tracing\RCXF6B7.tmp | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| File opened for modification | C:\Windows\tracing\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
"C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ceb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ceb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2acdc90-7e60-4332-80a5-d79aa7e70b2d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89d4adf-d3ff-4445-9e7f-5049c4123812.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ec01f7-84d8-43cf-9f94-6e0449479811.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\843e6899-a816-4733-915e-c11ea9a41345.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8646abc-8eb3-410e-aa60-f55efdc241fb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\083f9a2f-c2ee-44fd-a3f8-1e79f09afcda.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fccbb7fa-498e-480b-b883-b49025319afa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1449cfd-e35f-4370-a8e4-73a900f4534d.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe7db1e3-17eb-472f-9bbb-a97ed039b61c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e98a6ec8-5dc9-4ba6-85ca-f065b52a9f31.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\181576d3-ba61-4c8e-affb-205674d39e45.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e93166e-b380-463e-b3a6-88b1c235c15a.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6c7f24-d79d-408e-a5d5-1024f8c9e4f7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c42fc5-6489-4d76-9ab3-a2c20b39a38d.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82724411-0328-4fbb-b3cc-8839dfa8791a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17cc4f1c-09f4-4f1d-b449-881a247be13c.vbs"
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb39ba55-748b-4fc4-a963-51165ab33a00.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\741afc65-802d-4fb2-95c6-6531f9a2e00f.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81888.cllt.nyashteam.ru | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
Files
memory/2100-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp
memory/2100-1-0x0000000000190000-0x0000000000684000-memory.dmp
memory/2100-2-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp
memory/2100-3-0x000000001B910000-0x000000001BA3E000-memory.dmp
memory/2100-4-0x00000000006A0000-0x00000000006BC000-memory.dmp
memory/2100-5-0x0000000000170000-0x0000000000178000-memory.dmp
memory/2100-6-0x00000000006C0000-0x00000000006D0000-memory.dmp
memory/2100-7-0x00000000006D0000-0x00000000006E6000-memory.dmp
memory/2100-8-0x00000000006F0000-0x0000000000700000-memory.dmp
memory/2100-9-0x0000000000900000-0x000000000090A000-memory.dmp
memory/2100-10-0x0000000000910000-0x0000000000922000-memory.dmp
memory/2100-11-0x0000000000920000-0x000000000092A000-memory.dmp
memory/2100-12-0x0000000000AB0000-0x0000000000ABE000-memory.dmp
memory/2100-13-0x0000000000AC0000-0x0000000000ACE000-memory.dmp
memory/2100-14-0x0000000000AD0000-0x0000000000AD8000-memory.dmp
memory/2100-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp
memory/2100-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp
C:\MSOCache\All Users\OSPPSVC.exe
| MD5 | e5c7c10f2b2e9aae378722a84cf0f1ac |
| SHA1 | 7074fb2e95c3f318276e416d19591cd97b9aa493 |
| SHA256 | b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce |
| SHA512 | 3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6934d6db7a3a5c0bff448be75789c77e |
| SHA1 | 56499dfe638bd9d925280144005ce39ae7f275fc |
| SHA256 | 74b64fb759e458123be171710e85731597f84e484c19f65c2d8f66bdf32fb168 |
| SHA512 | e6ad770fa55425035dc77ffef101778bbca4fa0d6131e71c71059605704f8798d287021dca93e1f3f9999ea2c5f60de564905d36116266bf81a1176715579dd9 |
memory/1360-136-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2288-137-0x0000000002350000-0x0000000002358000-memory.dmp
memory/2100-167-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe
| MD5 | c0b31aaf4cab8d91663634f7465a441f |
| SHA1 | 65b1328a7f891886bcb720ad749065b0bc0a9fa1 |
| SHA256 | 603f261e4e3d7368eb4891eed63a61b4010fae577766a0afc694585b4ca7c51c |
| SHA512 | 757b69d3aeec4cac18364be5dc7bd56fa984e09efa5da67d1e673bf97b41ba61559776a310b58b020f3419ede3413f2a0af36d8d993217bb971820a2bfb58b1f |
memory/2100-176-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp
memory/2044-177-0x0000000000CA0000-0x0000000001194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d2acdc90-7e60-4332-80a5-d79aa7e70b2d.vbs
| MD5 | d7a74ee039af6acd8838361d921fdc1e |
| SHA1 | 678268eb5a268e2936ade8d3e4c7bc5263c1e2b3 |
| SHA256 | e1582ff6fd7529ebf6c461c6d54d94cdc45f23c8b10e424977b9c23acc081780 |
| SHA512 | 0837d8557e3177d4cdcdb483a1a12435854d6f86dd28c869c1b1fb93ec529a31d12446e7e595960b4b710f73dfb31f22eaab18bf42f1088df6a49608b60e3e89 |
C:\Users\Admin\AppData\Local\Temp\d89d4adf-d3ff-4445-9e7f-5049c4123812.vbs
| MD5 | 50ba931056f8ebc6254f918ff76dc145 |
| SHA1 | 99039ae07e6a99ff44049b9e4801b235fbe5c621 |
| SHA256 | 0f09c71b7d7c8a4e33e3269220308ebc51c71794235f2ad2729c94f54967cdea |
| SHA512 | cdb8c6e5b1ab01a1837669370204d6abd834bd6c12ff46bb2e84f9d0db9a7c0fecd94cb034f8e074c691935014400148b118ffad217d1b07c3b58a1699134b4a |
C:\Users\Admin\AppData\Local\Temp\tmp12D5.tmp.exe
| MD5 | e0a68b98992c1699876f818a22b5b907 |
| SHA1 | d41e8ad8ba51217eb0340f8f69629ccb474484d0 |
| SHA256 | 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f |
| SHA512 | 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2 |
C:\Users\Admin\AppData\Local\Temp\e2ec01f7-84d8-43cf-9f94-6e0449479811.vbs
| MD5 | e930b7d297e073166b5d693b4d39e709 |
| SHA1 | 1b58fc5a4a5f5e19e31060df10c368acef21d5d3 |
| SHA256 | 51f4a55417baf2fb437738ba7c660477fd3be7c7f91a7dfdb4f41674284d5ef3 |
| SHA512 | 635308ae2910cc6dd6f3876f2346de8d99a9deb2ae9b0136a5a4ef5dd44a05c9df6f885ffc7d94944cdba8729cdce52df37e1772c4eed9c47c4a6866a7e31443 |
memory/1732-205-0x0000000001090000-0x0000000001584000-memory.dmp
memory/1732-206-0x0000000000790000-0x00000000007A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e8646abc-8eb3-410e-aa60-f55efdc241fb.vbs
| MD5 | 38cc43e836f92c95eba83f2981c8eeee |
| SHA1 | cbf25bba7886a810baca0646928c0fb47ba81205 |
| SHA256 | fd8efe03a10317f016bef87b98d52c92222f4357fcb1dd5462d8f1fd672d9ff5 |
| SHA512 | da5dcb85f0745ce98e8baa7449088a53ac2a277e7a949a922903a7db1fea8ea79ad028455ac849b6ade9635691c756494d080f9739f3f17fd8cafe93e74cc059 |
memory/768-221-0x0000000000260000-0x0000000000754000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fccbb7fa-498e-480b-b883-b49025319afa.vbs
| MD5 | 78addc630a3ee747be5491f6d1b11381 |
| SHA1 | 9cf6a3e981e1227f0b6d8e4650e5dfd4497a5d58 |
| SHA256 | 9f9a75df6feee99d9788e76cd6d8d3e46d0ab7daa3b09e8f1833906838195d2e |
| SHA512 | 9ebc92252a18875f130bbdd2facb94298699bd91f712439ad46ebda90a63e43d25678ec6a750bec5e7472647163f7ca0f7f33ea04d4def914d9c31384449937f |
memory/2440-236-0x0000000000830000-0x0000000000D24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fe7db1e3-17eb-472f-9bbb-a97ed039b61c.vbs
| MD5 | 0a7d2f902208b0afab5c52895323e5ac |
| SHA1 | b82ec3ee72a885617d2e3c4fa47ecfd55bc71971 |
| SHA256 | 4845334cdbbe9ad4d1f2a8edf376500edba722f6a2fabe87cc7354a1457a3e3c |
| SHA512 | ecb0d8b96e1bc13ffb6ea2ee4c9eceb8847dd2c95c24c3d77be85e54193fef6ec7558f34b7046db32b1e4cdcd9a71e1b08566c9386373409d9a70688f7ea4b7d |
memory/896-251-0x0000000001190000-0x0000000001684000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\181576d3-ba61-4c8e-affb-205674d39e45.vbs
| MD5 | ab58f2173006058dff2773495494f48e |
| SHA1 | ea80df678db1255027bce70640537e200c5ecf66 |
| SHA256 | b1dcdb04320e77d6cf78f86df0c6c49078501dacd660dcefe37520fa2097d6f8 |
| SHA512 | fc8d8da2ab1d41ed09539adaf09b206a4387b6c397eade28203549f96ecf885931597b0fe021a85f634936377ec510a2f31834080f7fe32f893ddb4a6a5c14c6 |
memory/2172-266-0x0000000000080000-0x0000000000574000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6e6c7f24-d79d-408e-a5d5-1024f8c9e4f7.vbs
| MD5 | 4b82871f0af7f84c9c3b954d9417fc38 |
| SHA1 | 77090fc9849619536fc22d22667e3cc2b21c9e9d |
| SHA256 | 98385cffaacbe737f040ae18c6325c67cebbadc59ffe28086fc89805f3bbb35f |
| SHA512 | b9a8d34a708405df095c49d4763fc4e7cbf4a7dc9b2fea7d128b4433ef7f714c2dcc636f01682d8a6825104122be55fa5aec8d0c8d535f8c6c0cd70dba810ace |
memory/2724-281-0x00000000003A0000-0x0000000000894000-memory.dmp
memory/2724-282-0x0000000000A30000-0x0000000000A42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82724411-0328-4fbb-b3cc-8839dfa8791a.vbs
| MD5 | d320a820fe27d9e90f8989d57ae989a3 |
| SHA1 | 8c17d616336718dc4d65b5b5e3ac748a8f2bb6af |
| SHA256 | a667e6e6b24aa766938bd7f8c1af6aa17bf46521922bf21b46998c7828eee396 |
| SHA512 | fb48b5b975b6b425e16511ba8c973a011e7b8daf907a3ee1c1f55a73e1a61140d38bc8d77a752d448e1d74f8db1b705507112009b4e5994c0a50bd21dbc9407b |
memory/2504-297-0x0000000000330000-0x0000000000824000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fb39ba55-748b-4fc4-a963-51165ab33a00.vbs
| MD5 | b4f4911ba50f463b6c2febb5300cbeac |
| SHA1 | c78a4df470418975664b86e1933193e42e0acd52 |
| SHA256 | ba1517acda6f8389173a6ec9a834adc39a294b0d5ae957e9a91dafbf97ecff17 |
| SHA512 | 83805fcb47f6fd3ef6ad0ea14094669f76fde9d66eb2f02691d845436bad9b349351a95457aed48585f4186d4069bd080b004bf8e37be013c0423185437849c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 11:38
Reported
2024-11-16 11:41
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Colibri Loader
Colibri family
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\dllhost.exe | N/A |
Executes dropped EXE
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp6E55.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp2512.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Default User\dllhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Default User\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Default User\dllhost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
"C:\Users\Admin\AppData\Local\Temp\b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_32\System.Printing\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\System.Printing\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_32\System.Printing\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\ssh\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\ssh\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Contacts\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\legal\javafx\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\legal\javafx\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\legal\javafx\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\uk-UA\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5de88c5e-835a-475e-a4f9-aba923deb2a8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65e13be-989c-414f-b52c-c66f27a8a81f.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB546.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19c09c0f-3de2-4cf4-8e72-122a37efd80c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7f81e3-6ff7-4b34-8e73-68aa7cc7360d.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEB0C.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cac9df5-4bfd-4997-9cc1-1bc023dd4e6b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f2274b-844d-415a-8a2c-742c32a7f3e8.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1DD4.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e5904d-d840-412e-b860-fc97035861a0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75fed0d6-15bf-4be9-a8a3-43b9b2a10e82.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75f402b2-2743-4b30-b542-13257c7d98ee.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42b1b6b-642a-4d9a-8892-2d60d5bfc41f.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp6E55.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6E55.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp6E55.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6E55.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce2e90c1-4fa9-412c-adf8-6a9b84d3a775.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4983321b-db0b-4575-aa50-de069424f698.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA0EE.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22d3f6a3-3a73-4fe7-b934-517905ca7d89.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2bf1b53-5037-43ea-add0-d3d99ff5d5a6.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBE98.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4072bd20-4c75-4f94-b3a0-231049823541.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da638718-b6bb-49a2-b40d-1d0312362e50.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a26cbe5-0138-40ba-a031-1c3b30775221.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\420aca1b-9054-4540-997a-5d5a02ae4d08.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp2512.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2512.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp2512.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2512.tmp.exe"
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c56ecc7a-1c1b-44db-870a-9b26f621c9d7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9c53a7b-7995-4cf4-b88c-3aed4e7dc6db.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 81888.cllt.nyashteam.ru | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | 8.2.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
Files
memory/2032-0-0x00007FFEE8973000-0x00007FFEE8975000-memory.dmp
memory/2032-1-0x0000000000DF0000-0x00000000012E4000-memory.dmp
memory/2032-2-0x000000001C090000-0x000000001C1BE000-memory.dmp
memory/2032-3-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp
memory/2032-4-0x00000000033A0000-0x00000000033BC000-memory.dmp
memory/2032-7-0x0000000003430000-0x0000000003440000-memory.dmp
memory/2032-6-0x00000000033C0000-0x00000000033C8000-memory.dmp
memory/2032-5-0x000000001C810000-0x000000001C860000-memory.dmp
memory/2032-9-0x0000000003440000-0x0000000003450000-memory.dmp
memory/2032-8-0x000000001C7C0000-0x000000001C7D6000-memory.dmp
memory/2032-10-0x000000001C070000-0x000000001C07A000-memory.dmp
memory/2032-11-0x000000001C7E0000-0x000000001C7F2000-memory.dmp
memory/2032-12-0x000000001CD90000-0x000000001D2B8000-memory.dmp
memory/2032-15-0x000000001C860000-0x000000001C86E000-memory.dmp
memory/2032-14-0x000000001C800000-0x000000001C80E000-memory.dmp
memory/2032-13-0x000000001C7F0000-0x000000001C7FA000-memory.dmp
memory/2032-17-0x000000001C880000-0x000000001C888000-memory.dmp
memory/2032-18-0x000000001C890000-0x000000001C89C000-memory.dmp
memory/2032-16-0x000000001C870000-0x000000001C878000-memory.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe
| MD5 | e5c7c10f2b2e9aae378722a84cf0f1ac |
| SHA1 | 7074fb2e95c3f318276e416d19591cd97b9aa493 |
| SHA256 | b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce |
| SHA512 | 3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490 |
C:\Users\Admin\AppData\Local\Temp\tmp7BE8.tmp.exe
| MD5 | e0a68b98992c1699876f818a22b5b907 |
| SHA1 | d41e8ad8ba51217eb0340f8f69629ccb474484d0 |
| SHA256 | 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f |
| SHA512 | 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2 |
memory/2348-78-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2032-149-0x00007FFEE8973000-0x00007FFEE8975000-memory.dmp
memory/2032-163-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp
C:\Windows\Branding\Basebrd\uk-UA\StartMenuExperienceHost.exe
| MD5 | 66e42ebd4bcea155903b3385017b9dc5 |
| SHA1 | 7f9c4bcd624c4a640989c83b44874de3112cc4d3 |
| SHA256 | b80ae3f3ca68a884992885d91d8e49248f561b8d5b1e0fc876429a34e139b866 |
| SHA512 | 5fe4e9ab93f4098c8178f4f28412675d8377f81cffaf58530008d300a16865b114f0fd209776872927af5ca733d6ce0bbfd72d92f417ce7dd1461eac16114fa8 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tff1qfaz.mxm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1464-231-0x0000021BCFB80000-0x0000021BCFBA2000-memory.dmp
memory/2032-328-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaaac7c68d2b7997ed502c26fd9f65c2 |
| SHA1 | 7c5a3731300d672bf53c43e2f9e951c745f7fbdf |
| SHA256 | 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb |
| SHA512 | c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ecceac16628651c18879d836acfcb062 |
| SHA1 | 420502b3e5220a01586c59504e94aa1ee11982c9 |
| SHA256 | 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9 |
| SHA512 | be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e448fe0d240184c6597a31d3be2ced58 |
| SHA1 | 372b8d8c19246d3e38cd3ba123cc0f56070f03cd |
| SHA256 | c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391 |
| SHA512 | 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28d4235aa2e6d782751f980ceb6e5021 |
| SHA1 | f5d82d56acd642b9fc4b963f684fd6b78f25a140 |
| SHA256 | 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638 |
| SHA512 | dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2 |
C:\Users\Admin\AppData\Local\Temp\5de88c5e-835a-475e-a4f9-aba923deb2a8.vbs
| MD5 | 123ca4a9a997bfe823ba38cd46d9ba41 |
| SHA1 | 7edcbb622a61faaec39c1248ccc0913d23778924 |
| SHA256 | 3f34ea0fb21d0d3e8e2c4e388bd11b022b8336cd6747fabd3e33c1fdfe7c59cd |
| SHA512 | 6a5d6895a50ca34c790dec9816982be80f0c0e956d6013fd5222f76f796cf5e423b8205fe0a1355abeed0966c12ffb8c7fed9662c872a2c45a9cc37ac4e18e8b |
C:\Users\Admin\AppData\Local\Temp\b65e13be-989c-414f-b52c-c66f27a8a81f.vbs
| MD5 | 334c643f04501c39a0cdd3c42898c460 |
| SHA1 | 3e9187defcc7fccb24cb31bb32cae0bf41657bc1 |
| SHA256 | de3ba6aa6952024f85049b6828fa38b02858f209e95146cb85a95cdf9b766882 |
| SHA512 | 1751ca14cdf77854866737f2acad1d8c6c5bf56c12c7a6614a2424d768756218f1b7654cb66467d6d2992618918c431cc4224cd15cdb66d1f8bb8b740967666e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
| MD5 | 4a667f150a4d1d02f53a9f24d89d53d1 |
| SHA1 | 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97 |
| SHA256 | 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd |
| SHA512 | 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8 |
C:\Users\Admin\AppData\Local\Temp\19c09c0f-3de2-4cf4-8e72-122a37efd80c.vbs
| MD5 | 2e3b1fc64461521b83fdf83cd77f301c |
| SHA1 | 964cf8aefc0d3cf4bb4913b0e35e478dacce184d |
| SHA256 | 8cf882a0eb14f9704b07f461f00b9281bbc529c59bb0e6742d1dee16570e4163 |
| SHA512 | da402488f01efb78dfd6e8996dbb62fbb643838c276d269cd1050344d6782af05abcea957c2c06fee285bf7f4732f8fcac6708e7b15551cbeca24fbbd7a4e315 |
C:\Users\Admin\AppData\Local\Temp\8cac9df5-4bfd-4997-9cc1-1bc023dd4e6b.vbs
| MD5 | bcd152d9c7d64fcc1724e6c168eab26c |
| SHA1 | d8141adbeada40417d7b96b4ab155c8a7dcb8bb6 |
| SHA256 | 0ab9e1efc7a81da8a8878708f4984cef0f39aaa75e131d5ffccd89624bc53b10 |
| SHA512 | 62d89c922b9dd35f2aab1252bc1360c81c94986376bb4984269880576cb0233632812f17b092438e2058b4bbfd5b793dbcc541615aac32f7ff483f9e29547f90 |
memory/1400-425-0x0000000002640000-0x0000000002652000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60e5904d-d840-412e-b860-fc97035861a0.vbs
| MD5 | baa96ba8918550f4e8dbb7307aaaf9a4 |
| SHA1 | 7288d86ec0f92c885a44e4a9b876594309144301 |
| SHA256 | 2d752a1aa1194d528673bf67aee4c268635880814a7a2f0ce9257d82b2b382c8 |
| SHA512 | 4ba0168ed23adff216c5a8a2c0e8fb07c93210a0cedb8f20b6a1e2a1fb99a1b2ce7fcaf843a562cbdb565468b3b8b89eb80568f008c6074e94a8de3bd6992903 |
C:\Users\Admin\AppData\Local\Temp\75f402b2-2743-4b30-b542-13257c7d98ee.vbs
| MD5 | 1e6905b6182aeb04773c46e59f4bfa9a |
| SHA1 | 876404c38b127214eda19e5eeb0564d130adcf12 |
| SHA256 | 80a3b2b80a959a070e7919cceecdad23d99c63706f80c3067f9f500d817774ca |
| SHA512 | f3456cf94b0a761ae3db0d4dc7dd090e3c8258ce8a852cf614fdeffe02af099becef1db3ec828292068e4d4e295d0674e2130b18682804c5b949e80f56f22ddf |
C:\Users\Admin\AppData\Local\Temp\ce2e90c1-4fa9-412c-adf8-6a9b84d3a775.vbs
| MD5 | 7798192f5a8994e4d4652647ae3744bc |
| SHA1 | f9eb454caee6a7b1290afe021046273e9ba7788a |
| SHA256 | 011b71ec77f291bb7b1cdd92652ae715e2022aa12568efdc194cd44c84759b82 |
| SHA512 | 4d74ffa0bfc9e4ecb6a3acf76d77d9746404e30dd242c425ab89d58eaf29f8a2415c50330e45ef78a5b661f93c7874a5c60d4007ffa1de234353be87c95baa6d |
C:\Users\Admin\AppData\Local\Temp\22d3f6a3-3a73-4fe7-b934-517905ca7d89.vbs
| MD5 | c335a0c869a32d4ef74e14ea6378d098 |
| SHA1 | ccd870f206ad19990f0b64c15812211a2f0e3c8e |
| SHA256 | 5e159e325b13ac05a6c57c39cfbfd5ab5c61921a31382b95091bb6141eac0405 |
| SHA512 | cfd366b2d7c1ed901709ee6043738bf79b79e7309f92fc4abf7e01b3f9f8a6bb094c348c24d7baf8b0cbb79b919597f07b5dfb063a239267fb651dce89ad6998 |