Analysis Overview
SHA256
287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924
Threat Level: Known bad
The file 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Colibri family
Dcrat family
DcRat
Colibri Loader
UAC bypass
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
System policy modification
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 00:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 00:41
Reported
2024-11-17 00:43
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Colibri Loader
Colibri family
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\conhost.exe | N/A |
Executes dropped EXE
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp2476.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpFA9C.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBB8F.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB486.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Recovery\WindowsRE\conhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\WindowsRE\conhost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
"C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
"C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\tmpBB8F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBB8F.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpBB8F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBB8F.tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xTjmO3n2kD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157a6be7-d5f3-4c65-b285-fd08dc96cda9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1461b49a-5792-4dc1-8b52-a1175cd0c201.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpFA9C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFA9C.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpFA9C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFA9C.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f938364c-d04a-4406-9583-deb7f23ecc51.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5e973a3-db19-4e67-abea-4a7534d5e81e.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\037aed1a-691a-444c-b856-a29f2bca9b5a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38927d96-25fd-4f95-a397-9900faa59c76.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6165.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5750d69d-cbd7-4920-91ad-471b14ce74af.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b379774-da51-49fb-a7e7-cd9d72e3d871.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40ba00df-90f7-4a67-9983-e21b1501edce.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b39fb21-d167-4946-8fa6-1d551ff1a984.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpB486.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB486.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpB486.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB486.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80b804b9-2287-4138-90b9-7b216b57ea4a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c59cc3-87ee-48b0-b23d-e543d747c8cd.vbs"
C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cf6bacf-2d8e-4153-8bf6-102b92a81622.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db655fd0-c936-4536-9325-f9fc84b525af.vbs"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46254086-d9d7-4223-98e2-07491ce39ab5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dcb370f-60bf-41e3-ae70-f4338b1ddba2.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp2476.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2476.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp2476.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2476.tmp.exe"
C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40d87f4b-37fe-4f58-b320-364382a9557a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4651250-57b2-4e30-b672-3f0b9a1dd072.vbs"
C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81888.cllt.nyashteam.ru | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | 8.2.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| US | 8.8.8.8:53 | yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx | udp |
| US | 104.21.2.8:80 | 81888.cllt.nyashteam.ru | tcp |
Files
memory/1832-0-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp
memory/1832-1-0x00000000004C0000-0x00000000009B4000-memory.dmp
memory/1832-2-0x000000001B790000-0x000000001B8BE000-memory.dmp
memory/1832-3-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp
memory/1832-4-0x00000000012B0000-0x00000000012CC000-memory.dmp
memory/1832-7-0x00000000012F0000-0x0000000001300000-memory.dmp
memory/1832-6-0x00000000012E0000-0x00000000012E8000-memory.dmp
memory/1832-5-0x000000001BF10000-0x000000001BF60000-memory.dmp
memory/1832-9-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/1832-8-0x0000000001310000-0x0000000001326000-memory.dmp
memory/1832-10-0x0000000002DA0000-0x0000000002DAA000-memory.dmp
memory/1832-11-0x0000000002DB0000-0x0000000002DC2000-memory.dmp
memory/1832-12-0x000000001C490000-0x000000001C9B8000-memory.dmp
memory/1832-13-0x000000001BEC0000-0x000000001BECA000-memory.dmp
memory/1832-15-0x000000001BEE0000-0x000000001BEEE000-memory.dmp
memory/1832-14-0x000000001BED0000-0x000000001BEDE000-memory.dmp
memory/1832-17-0x000000001BF00000-0x000000001BF08000-memory.dmp
memory/1832-16-0x000000001BEF0000-0x000000001BEF8000-memory.dmp
memory/1832-18-0x000000001BF60000-0x000000001BF6C000-memory.dmp
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RuntimeBroker.exe
| MD5 | 397875ccdde144b8118a6c31e9f2ddf5 |
| SHA1 | 2dd084fb6fcf3f88ec0e377e3d588e72db36a7e7 |
| SHA256 | 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924 |
| SHA512 | d596ef357651886280750397c6d46c2cd67c452dd66181ba6cee487c6b8f2780f6e9d7e313809860ff258507d3c05b6c0a13ecdb5527c8be54fb3e4ff84684d7 |
C:\Users\Admin\AppData\Local\Temp\tmp9D4A.tmp.exe
| MD5 | e0a68b98992c1699876f818a22b5b907 |
| SHA1 | d41e8ad8ba51217eb0340f8f69629ccb474484d0 |
| SHA256 | 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f |
| SHA512 | 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2 |
memory/2380-51-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2628-91-0x00000222E75B0000-0x00000222E75D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ca14r1xd.iv0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1832-184-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28d4235aa2e6d782751f980ceb6e5021 |
| SHA1 | f5d82d56acd642b9fc4b963f684fd6b78f25a140 |
| SHA256 | 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638 |
| SHA512 | dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2 |
memory/1436-187-0x000000001BD00000-0x000000001BD12000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaaac7c68d2b7997ed502c26fd9f65c2 |
| SHA1 | 7c5a3731300d672bf53c43e2f9e951c745f7fbdf |
| SHA256 | 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb |
| SHA512 | c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8e8360d573a4ff072dcc6f09d992c88 |
| SHA1 | 3446774433ceaf0b400073914facab11b98b6807 |
| SHA256 | bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b |
| SHA512 | 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe.log
| MD5 | bbb951a34b516b66451218a3ec3b0ae1 |
| SHA1 | 7393835a2476ae655916e0a9687eeaba3ee876e9 |
| SHA256 | eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a |
| SHA512 | 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4c557aa00dc4a6ff86db4be1735e9d30 |
| SHA1 | 7c155ad08e280926832bdad0aa948843de2ce5a2 |
| SHA256 | aad198f453bdcef5e479c7e622c005782f94d0b391798245284aad9506fa7e48 |
| SHA512 | 2c311b272941308197e3f2fe9d961dda9682dfd514cc48bc63b156afb0d18cace8635f0d080b9f77ed43e67b551232a6fb5b86e88c2414f8bd2f32cbe5521ae2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ea33fe1222c0bc4647737868951b9fe0 |
| SHA1 | 575b4a53baedd0e0e880c1a8f03088c34990fd37 |
| SHA256 | 1863a52e9341cfe488dc4ee7f24a7bf9511607423b6e588581e41a9c144dbf46 |
| SHA512 | a711fc2818346247df489106fe5fe80aa89eed8f92d0b5ea977c773f50e067de4fa38b130a03464b1d9cb21775dc01e2ff624329c6f97b2ab888854a6bf26e38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3e242d3c4b39d344f66c494424020c61 |
| SHA1 | 194e596f33d54482e7880e91dc05e0d247a46399 |
| SHA256 | f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e |
| SHA512 | 27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 120c6c9af4de2accfcff2ed8c3aab1af |
| SHA1 | 504f64ae4ac9c4fe308a6a50be24fe464f3dad95 |
| SHA256 | 461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222 |
| SHA512 | 041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0a41fc9c1123bb127e55ecc66c8f052 |
| SHA1 | 57152411758fa3df2623cc8a4df6d9fea73652f8 |
| SHA256 | a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745 |
| SHA512 | e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9a7f35c006bbf5da72f9cb250ffbddb |
| SHA1 | 458a8cedc38dac109631d9fccb3bf6d2c5c0e89e |
| SHA256 | a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b |
| SHA512 | d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131 |
C:\Users\Admin\AppData\Local\Temp\157a6be7-d5f3-4c65-b285-fd08dc96cda9.vbs
| MD5 | a1948b71a0b336d366c94c1c96c41b8a |
| SHA1 | 1e1f957486c5619d380ad496249542e43956afa8 |
| SHA256 | e755663778c46a8271f257c75825ac601d1ce441e9a4c14b5690307cf593e6ec |
| SHA512 | 6c63bed5e37e060439778d313eb864052711255c87461ea958d23b338cacbb3dbf165c19a070520b0ea0ef934f9a3a2d622d3d485c7fdfb7a0189c16720ea1b9 |
C:\Users\Admin\AppData\Local\Temp\1461b49a-5792-4dc1-8b52-a1175cd0c201.vbs
| MD5 | edc0ceaff70f304f908868a6ac4bde8e |
| SHA1 | 76a601acce1218bfd0613041fd2f5daf461a577d |
| SHA256 | 4a406a17f6b5a0cad8ce4aff64bbf9c3354c4c33d53813747fb218154a42388c |
| SHA512 | c7d7d1bf12539b65ffa784dd1df68dc1f59b9ae5303bc73054e29d952bda39fc465bcecbd69f2b444c53da747c243be3482e90d6753678d333396c06bee2703e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | 4a667f150a4d1d02f53a9f24d89d53d1 |
| SHA1 | 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97 |
| SHA256 | 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd |
| SHA512 | 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8 |
C:\Users\Admin\AppData\Local\Temp\f938364c-d04a-4406-9583-deb7f23ecc51.vbs
| MD5 | fa3ceb772c8084825a177635ebbe63c0 |
| SHA1 | 8093807c51ba9619c7d1276124f1bb03a0a75f72 |
| SHA256 | 42828286448e89dc5db7f1b9552a3444e09aa2830464cf73105dfd1279e1aabe |
| SHA512 | 9992a52606a326fb6b9875bf66f76f9e83786b33496643530bdf28a5d69c5d3c1892e4850d89baec33f2ef62feb21f880ae9777a79cf5f6533187e8cb2608439 |
memory/808-448-0x000000001C200000-0x000000001C212000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\037aed1a-691a-444c-b856-a29f2bca9b5a.vbs
| MD5 | 0242ca133076dad2c24c35b6de9d089e |
| SHA1 | 28e7113ed151dafd4f197d926d95069900b519f8 |
| SHA256 | bebb50f01b58a20c0498a98448819b2e99ad93f2c6391a120ec50861ede98ac2 |
| SHA512 | 377e5a612ab53fd7460d652b224f795f7bbb9589700cc2025a6c7bffef02b9c7d29972ab531f5ef853282b87f6a003e6d6ade01d44d0d42c1a4ccf1398ae13f1 |
C:\Users\Admin\AppData\Local\Temp\5750d69d-cbd7-4920-91ad-471b14ce74af.vbs
| MD5 | cd4e1ccddbbcf8fb1b2915e1efae6765 |
| SHA1 | f116f781b3628556eeebf2a5756fc733f677e26a |
| SHA256 | f514b0bab60e4f4bb07c0742c479d9cc7e9b6a7b676ffc14d495cca4d02bbe07 |
| SHA512 | 397644899d99150ed98c3e02c729789fe02da1021484db842f8f88a3e18c50b9768a354b83f39397a56e83554276f82ed2f88dfb9ad9c007f7b896a20d6f224f |
C:\Users\Admin\AppData\Local\Temp\40ba00df-90f7-4a67-9983-e21b1501edce.vbs
| MD5 | 958ee5f6c7bdca76aa465ffc5ba8f551 |
| SHA1 | 5d3fd18820a885956188686826bb1286f40de500 |
| SHA256 | e720c13f724a2dd7b015d71b66d8e6c9f4d0f44b13b43d71f787c7017098967d |
| SHA512 | d6850051c7884cb31b419f226c911ce9a96f154a8a4fe1b0e2fc2e3d96682451ca84c77ec1611d22fbb3a21d3071f88f1e72c6770cb934d496bbe5ab6eccbc98 |
memory/5008-516-0x0000000001930000-0x0000000001942000-memory.dmp
memory/1836-544-0x000000001BA00000-0x000000001BA12000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 00:41
Reported
2024-11-17 00:43
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\Application Data\wininit.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Application Data\wininit.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
"C:\Users\Admin\AppData\Local\Temp\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a39242" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bd6bf1e-82de-4074-9d3a-2f057b677a82.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5db8d149-89a6-4816-980b-601fef0c9c54.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\374262ac-dd5c-47d8-a475-2f7fadbe8def.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fa166ea-e88a-4227-9b7f-2d0d17066c5f.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107b22d1-7c6b-46c8-8e9e-025726b1afb8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9963650b-c13b-4c17-b360-9a87926a7810.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdcb3944-405b-4596-ac1d-fdd859fec1ea.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0415fb31-567b-4a2c-95cc-fdd050bc24f8.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76a1eac6-3a6c-4384-8fa6-5949679666c9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6033a3c-4160-42f4-bb78-562d5f0dc5bb.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91c5bc0d-3f00-4824-933d-ea3553c7ab32.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a58d0fe-d03a-41e3-b01e-52e23b2fa382.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a657ec6-44b2-4ec6-9668-0c4130d1fca1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff84e61a-55a0-4874-9bcf-8ebccc13a840.vbs"
C:\Users\Admin\Application Data\wininit.exe
"C:\Users\Admin\Application Data\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a849ba9c-06b8-4add-8f2f-2acd07454c8e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278454c5-440e-4ec1-addf-2e8ddafcbbca.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81888.cllt.nyashteam.ru | udp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
| US | 172.67.186.200:80 | 81888.cllt.nyashteam.ru | tcp |
Files
memory/3016-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp
memory/3016-1-0x0000000000F60000-0x0000000001454000-memory.dmp
memory/3016-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
memory/3016-3-0x000000001B520000-0x000000001B64E000-memory.dmp
memory/3016-4-0x0000000000420000-0x000000000043C000-memory.dmp
memory/3016-5-0x00000000004C0000-0x00000000004C8000-memory.dmp
memory/3016-6-0x00000000004D0000-0x00000000004E0000-memory.dmp
memory/3016-7-0x00000000004E0000-0x00000000004F6000-memory.dmp
memory/3016-8-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3016-9-0x0000000000620000-0x000000000062A000-memory.dmp
memory/3016-10-0x0000000000C50000-0x0000000000C62000-memory.dmp
memory/3016-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp
memory/3016-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp
memory/3016-13-0x0000000000D00000-0x0000000000D0E000-memory.dmp
memory/3016-14-0x0000000000D10000-0x0000000000D18000-memory.dmp
memory/3016-15-0x0000000000E60000-0x0000000000E68000-memory.dmp
memory/3016-16-0x0000000000E70000-0x0000000000E7C000-memory.dmp
C:\ProgramData\Microsoft Help\287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924.exe
| MD5 | 397875ccdde144b8118a6c31e9f2ddf5 |
| SHA1 | 2dd084fb6fcf3f88ec0e377e3d588e72db36a7e7 |
| SHA256 | 287526315843ee93b7fa8dd61f37e9d9be0c6eda8115c17e1fb26af5a16a3924 |
| SHA512 | d596ef357651886280750397c6d46c2cd67c452dd66181ba6cee487c6b8f2780f6e9d7e313809860ff258507d3c05b6c0a13ecdb5527c8be54fb3e4ff84684d7 |
C:\Program Files\Windows Defender\ja-JP\RCXDB9D.tmp
| MD5 | ee54e451e2874e9bce1b0d2343319f0d |
| SHA1 | e8965dc7fa9448bc77160a1d90c6cc03251e8fa3 |
| SHA256 | f01ce3e5e55c3c5948ce01ceb3884898ac34b90a60c0bf2f08b75a1f326c281e |
| SHA512 | 4ae99cc7c1483f25951ff3d698cd21bfdab289de66ec10d16178e613e539982f151d4f092ad407cb55e166816fd9e618003ed8044d32660c80bb5edb3296ee1f |
memory/3016-140-0x000007FEF6033000-0x000007FEF6034000-memory.dmp
memory/3016-155-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KW616HCW37JRWJER9M4R.temp
| MD5 | 1b0cc943f29854eeae0ae7511a488ad3 |
| SHA1 | f4d0e988c521b310a52e62d51b23e355b1132125 |
| SHA256 | dd2ba0472641ebf30f4e9fffc41179e56dee84ce09d3bb59c3d4f37106f38cb1 |
| SHA512 | dd524fe3db0f8a8a2f61596df26745b5284b1474a33f6c164dbcb47298d52a23b48d5351e0815ec9a3f51d3ceeefeed79b0d7f3ada8eba33d28454bea4a3170f |
memory/2336-231-0x0000000000040000-0x0000000000534000-memory.dmp
memory/3016-251-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
memory/404-250-0x0000000001E30000-0x0000000001E38000-memory.dmp
memory/404-249-0x000000001B500000-0x000000001B7E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFB5F.tmp.exe
| MD5 | e0a68b98992c1699876f818a22b5b907 |
| SHA1 | d41e8ad8ba51217eb0340f8f69629ccb474484d0 |
| SHA256 | 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f |
| SHA512 | 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2 |
C:\Users\Admin\AppData\Local\Temp\5db8d149-89a6-4816-980b-601fef0c9c54.vbs
| MD5 | a9bb6097d17200080b3825e9fad638ec |
| SHA1 | 8987716ba4f37ad171eec62b1004a790833cba4e |
| SHA256 | 32dbda849fb5b47c7ea0e3fadade31d5548240dd2fe8a447b6959203457cf329 |
| SHA512 | 4f534afe3b0a29120a64305b580b979dfbff0c6b2d893565a778d5447b23ae398d087d38f2e62354d4b2d596e8042048f3c2f7a7fab3ffe2e0c2c64b277c5493 |
C:\Users\Admin\AppData\Local\Temp\8bd6bf1e-82de-4074-9d3a-2f057b677a82.vbs
| MD5 | f8cfc3f9946432a996628333174d264b |
| SHA1 | b93256a2b4e8bc423df80913ed3d145e1197cbee |
| SHA256 | e5679d2556b1386ed6c5d0cbc81a4689275e40f6c23353d5a7c13e9da2b51870 |
| SHA512 | 6756cdd649ce35dd42f0f205c1858bdd65345bcccdaaa9dda56fc7d6edf60a4b46bf5d3ba4a034438497b82a3814fe7c65ab76210efaba4bb2c833bb402f6c3d |
memory/2888-265-0x0000000000A50000-0x0000000000F44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\374262ac-dd5c-47d8-a475-2f7fadbe8def.vbs
| MD5 | 5f330f0626c4f53f705bf48cd3a54418 |
| SHA1 | 0dabb32b0928834fda088622ec168d4bd2ffe010 |
| SHA256 | db88df62a62ccfc1f737d164cd34327904cbc5e3d69bb886b69356c859a5218d |
| SHA512 | 048a4a5b35c4ed153af9cf9ea60290a74ae531e18538cfdf9413f25ce3e5e03b815681532be76da1e50f23627fc5e57e95d8136d6a272cdbb65faf256334f4f8 |
memory/2148-280-0x0000000000B90000-0x0000000001084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\107b22d1-7c6b-46c8-8e9e-025726b1afb8.vbs
| MD5 | e3c7616b65878eb2e2f5ad6f20f7baa0 |
| SHA1 | 892149bea31e2fd65cacc72b4b7c629fcbf50782 |
| SHA256 | 8202175de45b1c60a6080fd24dae8f8a2299b1bc7ea5bd5b4fbb69b5246d0982 |
| SHA512 | bb83539767953212a936d8f446243e87c5b49b50ff258ab9ce38d649691567f4581635fde12e5a395b19bed1ab64b4d67f1cb008e8cbc55c8ced117d9f77adde |
memory/1568-295-0x0000000000FD0000-0x00000000014C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bdcb3944-405b-4596-ac1d-fdd859fec1ea.vbs
| MD5 | 5dc71af99b7c08bbdcba45c45882475b |
| SHA1 | cfe6bed4a50a124212ea883316f63d12c736859c |
| SHA256 | 5ef9d1e421d6b08abe28166ede5848681b0a11b593b2f3a19ae7b1a67d8f9974 |
| SHA512 | 5e9ea81393288bf57290d6f86bfa9fd7d5021560da6c458d8b55960dee25a7364241613fc1f06aea74a2cc899f7c10edaf99f38f94af94b8c07cdbfd3975d7ed |
C:\Users\Admin\AppData\Local\Temp\76a1eac6-3a6c-4384-8fa6-5949679666c9.vbs
| MD5 | ac2dae5fe9829bd17f82c1e9abb10ee8 |
| SHA1 | 4e8f9c50266dccf08294b859ed3c8fed211261b7 |
| SHA256 | cb0d2389c7e27264f561b2bd3957ee4fdc640f7e86b6108ac14b9a93c1f7bdba |
| SHA512 | 78ea2db51f8ef2bd420cd41d1470e7f7326d424b4cfe5a83247feabafbd67bb5bd7c83eff4981a30b7908113cf6b0e6c5df492fb347ddb3bc9cfc301a4d4b39a |
memory/1980-324-0x00000000000E0000-0x00000000005D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91c5bc0d-3f00-4824-933d-ea3553c7ab32.vbs
| MD5 | 5819be66f4220bdf573614a1e20a7e0b |
| SHA1 | 67dcce478d139d74ebb8719d6d5d51fc3a9af3dd |
| SHA256 | 35693f3a839e3140e7877c6f31b448030f882c59cc02cdd3b9ef07bfd4728cc6 |
| SHA512 | 2eeaa7c5b01c4e4328d23860987f6a4425f4d5ca908781d84f83f0be4015900b2e4bbc387ea2a138b11aa84d0038741d14a47929c08f930395ab72b7267e8d4a |
memory/1068-339-0x00000000008E0000-0x0000000000DD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4a657ec6-44b2-4ec6-9668-0c4130d1fca1.vbs
| MD5 | 5c4166b9e2d44b7696b82de8e0514a83 |
| SHA1 | c3d9c314e6ef48eb9010d02fa62fb423d6a14961 |
| SHA256 | 2cd425e6fcdcd1675246007c7972a7aa1e21f51aaaee1400bbb7bf42e70ea644 |
| SHA512 | 5afb61032bec34564185f3860a3ca89e4a6169642b22a75219ab055a48850948d1e14fc75105258de1b7b3208486a1e9f364c500d73a6909cea5437dfd3008dd |
memory/2408-354-0x00000000011F0000-0x00000000016E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a849ba9c-06b8-4add-8f2f-2acd07454c8e.vbs
| MD5 | c3c6864bbca422079612c035846c14da |
| SHA1 | 90619d30b38931ba93b42b03ce6df43753e3198e |
| SHA256 | 28ed01cd9bff28482f912c89e27bcbcce2aeb31e49ce55115cf982564455f42f |
| SHA512 | 0b905585dd00621398548e5f3fea782910f0e48b8ae63d1b752f694214085ebb92456b02f729d0b00bb9ab35b98565df4316680c26bd39c89c22f684e86e7956 |