Malware Analysis Report

2025-08-06 00:36

Sample ID 231207-bc75rsgdcq
Target 0924b9eca922c9227c4f426be5174bae.exe
SHA256 e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

Threat Level: Known bad

The file 0924b9eca922c9227c4f426be5174bae.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

DCRat payload

Process spawned unexpected child process

Dcrat family

UAC bypass

Modifies WinLogon for persistence

DcRat

DCRat payload

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

System policy modification

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 01:01

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 01:01

Reported

2023-12-07 01:03

Platform

win7-20231023-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default User\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\dwm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\driversessioncrt\\lsm.exe\", \"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\", \"C:\\driversessioncrt\\wininit.exe\", \"C:\\Windows\\Help\\mui\\winlogon.exe\", \"C:\\driversessioncrt\\System.exe\", \"C:\\Users\\Default User\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\driversessioncrt\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\driversessioncrt\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\driversessioncrt\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Help\\mui\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\driversessioncrt\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\driversessioncrt\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\driversessioncrt\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Help\\mui\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\winRefMonitor.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\dwm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Journal\\es-ES\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\f596bfe2-7211-11ee-b58c-fd22f4f772f4\\dwm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\spoolsv.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\Idle.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\f3b6ecef712a24 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\Idle.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\6ccacd8608530f C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\101b941d020240 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Journal\es-ES\wininit.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Journal\es-ES\56085415360792 C:\driversessioncrt\winRefMonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\mui\winlogon.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\Help\mui\cc11b995f2a76d C:\driversessioncrt\winRefMonitor.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A
N/A N/A C:\Users\Default User\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\driversessioncrt\winRefMonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\Idle.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2632 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2632 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2632 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2304 wrote to memory of 2884 N/A C:\driversessioncrt\winRefMonitor.exe C:\Users\Default User\Idle.exe
PID 2304 wrote to memory of 2884 N/A C:\driversessioncrt\winRefMonitor.exe C:\Users\Default User\Idle.exe
PID 2304 wrote to memory of 2884 N/A C:\driversessioncrt\winRefMonitor.exe C:\Users\Default User\Idle.exe
PID 2632 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1216 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 1216 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 1216 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 2868 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 2868 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 2868 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1216 wrote to memory of 1552 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1552 wrote to memory of 2108 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 2108 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 2108 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 1500 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 1500 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 1500 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2568 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 2108 wrote to memory of 2568 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 2108 wrote to memory of 2568 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 2568 wrote to memory of 1460 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1460 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1460 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 2376 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 2376 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 2376 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1460 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1460 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 2440 wrote to memory of 1788 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2440 wrote to memory of 1788 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2440 wrote to memory of 1788 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2440 wrote to memory of 1000 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2440 wrote to memory of 1000 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2440 wrote to memory of 1000 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 1788 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1788 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 1788 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\Idle.exe
PID 2176 wrote to memory of 2600 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2600 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2600 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2232 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2232 N/A C:\Users\Default User\Idle.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "

C:\driversessioncrt\winRefMonitor.exe

"C:\driversessioncrt\winRefMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\mui\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\driversessioncrt\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\driversessioncrt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\driversessioncrt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winRefMonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\driversessioncrt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\driversessioncrt\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\driversessioncrt\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dwm.exe'" /rl HIGHEST /f

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f496a16-fc3b-4cc0-8652-ae7f58aa0eaf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9fdf753-e3ad-46b6-9559-ee2e7e90e770.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d14c06b-8378-4731-b165-4807a2518949.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a0d647-ff7e-49cb-9934-340a5d72a931.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb7e341-36b1-4fa3-aaa1-61cb70739857.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d7fb275-0fc6-42a5-9b5f-1c8c08fc1351.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\910e23da-a579-4e41-9d81-7afe33bd8605.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d35bec90-31dc-46b3-8696-fb9d5f90b5cc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b58bb03-84ed-41ef-9258-91ec62b1f6a5.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a591c9e4-ff40-4f7f-aa46-d91683971f20.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f46b3da-4289-4cd9-a01f-e769fe45c79d.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4386507-e143-426a-8a68-8e9952d04003.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9114eb4-1a01-47a1-8f54-3c71d0b607fd.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08d09c4-c313-4eb6-8a44-8c465bbbbe03.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71cde320-ff3e-4e44-b296-91a77191491a.vbs"

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41113b90-1b69-459b-ac26-23d086d89439.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34ebc9b-80a3-4361-afb8-3067b4282ee9.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp

Files

memory/2732-0-0x0000000000BC0000-0x0000000000FE8000-memory.dmp

memory/2732-12-0x0000000000BC0000-0x0000000000FE8000-memory.dmp

C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

MD5 d7664d494b1b6e05334ada9accc57d06
SHA1 2cc50d284a600e30287fdef5efe56a586199eb28
SHA256 531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA512 7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

C:\driversessioncrt\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

MD5 40a5023d150998b4ba256dd94ea31230
SHA1 36702bfd3e71b3495e61ea589003bb856b959aca
SHA256 e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA512 6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2304-20-0x0000000001380000-0x00000000016EA000-memory.dmp

memory/2304-21-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

memory/2304-22-0x000000001B190000-0x000000001B210000-memory.dmp

memory/2304-23-0x0000000000240000-0x000000000024E000-memory.dmp

memory/2304-24-0x0000000000250000-0x000000000025E000-memory.dmp

memory/2304-25-0x0000000000260000-0x0000000000268000-memory.dmp

memory/2304-26-0x00000000005A0000-0x00000000005BC000-memory.dmp

memory/2304-27-0x0000000000360000-0x0000000000368000-memory.dmp

memory/2304-28-0x0000000000580000-0x0000000000590000-memory.dmp

memory/2304-29-0x00000000005C0000-0x00000000005D6000-memory.dmp

memory/2304-30-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/2304-31-0x00000000005F0000-0x0000000000602000-memory.dmp

memory/2304-32-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

memory/2304-33-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/2304-34-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

memory/2304-35-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

memory/2304-36-0x0000000000AE0000-0x0000000000B36000-memory.dmp

memory/2304-37-0x0000000000B30000-0x0000000000B3C000-memory.dmp

memory/2304-38-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

memory/2304-39-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/2304-40-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

memory/2304-41-0x0000000001200000-0x0000000001212000-memory.dmp

memory/2304-42-0x0000000001230000-0x000000000123C000-memory.dmp

memory/2304-43-0x0000000001240000-0x000000000124C000-memory.dmp

memory/2304-44-0x0000000001250000-0x0000000001258000-memory.dmp

memory/2304-45-0x0000000001260000-0x000000000126C000-memory.dmp

memory/2304-46-0x0000000001270000-0x000000000127C000-memory.dmp

memory/2304-47-0x000000001AB20000-0x000000001AB28000-memory.dmp

memory/2304-48-0x000000001AB00000-0x000000001AB0C000-memory.dmp

memory/2304-49-0x000000001AAF0000-0x000000001AAFA000-memory.dmp

memory/2304-50-0x000000001AB10000-0x000000001AB1E000-memory.dmp

memory/2304-51-0x000000001AB30000-0x000000001AB38000-memory.dmp

memory/2304-52-0x000000001AB40000-0x000000001AB4E000-memory.dmp

memory/2304-53-0x000000001AB50000-0x000000001AB58000-memory.dmp

memory/2304-54-0x000000001AB60000-0x000000001AB6C000-memory.dmp

memory/2304-55-0x000000001AB70000-0x000000001AB78000-memory.dmp

memory/2304-56-0x000000001AB80000-0x000000001AB8A000-memory.dmp

memory/2304-57-0x000000001AB90000-0x000000001AB9C000-memory.dmp

C:\driversessioncrt\wininit.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Default User\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2884-100-0x0000000000810000-0x0000000000B7A000-memory.dmp

memory/2884-101-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

memory/2304-102-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

memory/2884-103-0x000000001B370000-0x000000001B3F0000-memory.dmp

memory/2884-104-0x00000000006E0000-0x00000000006F2000-memory.dmp

memory/2884-105-0x0000000002360000-0x0000000002372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9fdf753-e3ad-46b6-9559-ee2e7e90e770.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

C:\Users\Admin\AppData\Local\Temp\1f496a16-fc3b-4cc0-8652-ae7f58aa0eaf.vbs

MD5 af14cd157ea3cd99f86fa101a56296dc
SHA1 8d003127e77b51e4a4839071ff57edd682a9c614
SHA256 5a3c5e310dfb2869a2bd25eca2593834f6d99bef899eae91c2ff87f59b9f5c78
SHA512 b4ce19496e962c1e5894482c82bd0b926b0c9d4350563b2ff706fd2a7376fece52aa17359d93ae6eefbd8da9df960576feb938c1ea95a94f9931093bee6c75a8

memory/2884-115-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1552-118-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/1552-117-0x0000000000BA0000-0x0000000000F0A000-memory.dmp

memory/1552-119-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/1552-120-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\1d14c06b-8378-4731-b165-4807a2518949.vbs

MD5 803097664d2b47bb181ad16b1efd0265
SHA1 5bd24cdf0730739e4c592a740d6fd9c7c81f2429
SHA256 da99f178cf10eb76265fa315799d1c616895db5347af425bc74624d52bd6b665
SHA512 22664bb345d1ff6b9d6748f4e7b7962cfdee39ab58f68c59ec729502e582a98d2a39b7144857a1d5514eba771598762eb6b2155b517d61ff2d1afa8b1e8ead42

C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

C:\Users\Admin\AppData\Local\Temp\a1bbcefe-454d-44af-8024-914c7d82a315.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

memory/1552-131-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2568-133-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

memory/2568-134-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2568-135-0x00000000024E0000-0x00000000024F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\24a0d647-ff7e-49cb-9934-340a5d72a931.vbs

MD5 f7fe6de5015506801350a7bccedb0c66
SHA1 9ed234ac8dd6a064cfc2d4f5496cc5d0b422ba28
SHA256 9840921768030374b20bc9e61420e07440b8a6f2f3e38ab62bcb998c0fd7c600
SHA512 ba5047e541e53a6af553b4c7e97059d83f89449dc12bb18f82780eda41a87a467fcd20af804f1a58531582201c4a47773ba66f23af5281466f0c6e0cd51f48de

C:\Users\Admin\AppData\Local\Temp\1fb7e341-36b1-4fa3-aaa1-61cb70739857.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

memory/2568-146-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2440-148-0x00000000000A0000-0x000000000040A000-memory.dmp

memory/2440-149-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/2440-150-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/2440-151-0x0000000002190000-0x00000000021A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\7d7fb275-0fc6-42a5-9b5f-1c8c08fc1351.vbs

MD5 c575ea1bab586499ed030a88b0b032f9
SHA1 98cedd108b82c5fab3e60a09c7174abcf14acc6e
SHA256 8b77d8bfa8e93ecd9b35b6957c2e162ab54a39bf53fe3133083d082566bbfc4a
SHA512 c2d144668a478f82bfc781dfc69669911de2a5eb01ad4c7c464ead2c5b3d7bc8c864c7ec98768c7054395f92b9eb4654ec87ffea72a3b1ec8a89d648d6a7e1ca

C:\Users\Admin\AppData\Local\Temp\910e23da-a579-4e41-9d81-7afe33bd8605.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

memory/2440-162-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2176-164-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

memory/2176-165-0x0000000000E10000-0x000000000117A000-memory.dmp

memory/2176-166-0x000000001B1B0000-0x000000001B230000-memory.dmp

memory/2176-167-0x00000000006C0000-0x00000000006D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\d35bec90-31dc-46b3-8696-fb9d5f90b5cc.vbs

MD5 cc73c785ea800bdf94275a01d492b44b
SHA1 d3c5eeb4bedac2aaa5f2c8ff23c815ab54e8d373
SHA256 f44370a461586be250e1e4083744e6632a26e4013c94ac74017f9c8a22601cc4
SHA512 35eb31f7d5027d80650f43048571ab4921097bb8c39d5e3945aafea8bf9e40f453e6dd779b9e02a0378a0b072f66f3893c323bcffb861f4fd23e74923c8b66b7

C:\Users\Admin\AppData\Local\Temp\5b58bb03-84ed-41ef-9258-91ec62b1f6a5.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\8f46b3da-4289-4cd9-a01f-e769fe45c79d.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

C:\Users\Admin\AppData\Local\Temp\a591c9e4-ff40-4f7f-aa46-d91683971f20.vbs

MD5 5254277bb8994bafb66633a81d58e3e2
SHA1 41675568a9a2d669d64b81d0d1fd3d3dab815204
SHA256 c33ae29b8af1929c835b868f6808923c77b0388b7cb229de405c40b8757f13d8
SHA512 39bdc00189ec74c8cdcef1c20460badb4f2153a511ad18c4df4af777075171bb25b07c5879447e7f6518af9ef678f0e0e3ceaefdb1b2ce5c8f3e54c0441d652c

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\a4386507-e143-426a-8a68-8e9952d04003.vbs

MD5 9ee13cbb111f6d31347095a54d366596
SHA1 55ec550aaed63fb331c55d4c0afa3c4f87d81500
SHA256 ff634b14e2bc36852410165f3f0a2cd2c1c2faa4f41a10d0e459799e426bfa96
SHA512 59ad95306617853f2cf0c3cd619af307a170e6bdefdd775a78fe61cc44df24ce0f213a628136dfc640e8670722f29e84d9dbbdb584b5a1d8fae70761a91da266

C:\Users\Admin\AppData\Local\Temp\c9114eb4-1a01-47a1-8f54-3c71d0b607fd.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\b08d09c4-c313-4eb6-8a44-8c465bbbbe03.vbs

MD5 42ba3b0ea5e6ffd5edd8d99b60a1d238
SHA1 3cbd7f766904ca13be699fa343d4a99051dd0e14
SHA256 76a865fbf6da8b850b74c9c529e285d706c5c2699646ed5357187eff18012a31
SHA512 b3f44c6a230f7b47510636197a7b8816993fb80dc297aeb20d3f4aa189457661bd26c94b3f2aac857cb649a0c5057c23b3ac0dffa2f54e9d51ffba308eb0152c

C:\Users\Admin\AppData\Local\Temp\71cde320-ff3e-4e44-b296-91a77191491a.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

C:\Users\Default\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\84d641edcc3716c8c5bc83e964bc2bf0d7c038db.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\41113b90-1b69-459b-ac26-23d086d89439.vbs

MD5 0fc91bda12256de30d9feacc9a3947c0
SHA1 6fa4bae559c5aaf586bc5f16230e0cb7820c62af
SHA256 45847ac06526de9eef77d8bded1595488875633b851c7a591e6143a0b8f1eb0a
SHA512 d14ed2f29556d2b1cb3eff47365b3b0bc2ebf384a7a09cfffc7330f411db3192cf09da3eba859eebb4a27ee2b4fe968e615104567fcffe8450ca193d49f82aa3

C:\Users\Admin\AppData\Local\Temp\d34ebc9b-80a3-4361-afb8-3067b4282ee9.vbs

MD5 f67289236d89602515d18e962b5fc536
SHA1 508b3bedbf20b5f8de85ac7773209ef81d93cf05
SHA256 d9f8e08ced0ea357ec5eb20a4edcf54b4cd663730e6efc8c2828aa30acf09696
SHA512 3d7a16764f38c7248d037a5547cdec932e2d51ddd01cb7afe0de2d0bb6fc9a61c99469e77b1d45b6c71f9ee11641725466af033a961d927b9bf345d630d59877

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 01:01

Reported

2023-12-07 01:03

Platform

win10v2004-20231127-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\38384e6a620884 C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Users\\All Users\\Start Menu\\dllhost.exe\", \"C:\\odt\\TrustedInstaller.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\cmd.exe\", \"C:\\Users\\All Users\\Start Menu\\dllhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\driversessioncrt\\winlogon.exe\", \"C:\\Windows\\CbsTemp\\sppsvc.exe\", \"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\cmd.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Windows\CbsTemp\sppsvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\cmd.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\cmd.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\odt\\TrustedInstaller.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\CbsTemp\\sppsvc.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Start Menu\\dllhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Start Menu\\dllhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Google\\Update\\Install\\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\\SearchApp.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\GameBarPresenceWriter\\unsecapp.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\odt\\TrustedInstaller.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\CbsTemp\\sppsvc.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\backgroundTaskHost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\driversessioncrt\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Default\\Desktop\\TrustedInstaller.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Security\\BrowserCore\\Idle.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RuntimeBroker.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\conhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\BrowserCore\Idle.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\6ccacd8608530f C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\088424020bedd6 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe C:\driversessioncrt\winRefMonitor.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\38384e6a620884 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\eddb19405b7ce1 C:\driversessioncrt\winRefMonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GameBarPresenceWriter\unsecapp.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\GameBarPresenceWriter\29c1c3cc0f7685 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\CbsTemp\sppsvc.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\CbsTemp\0a1fd5f707cd16 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\DigitalLocker\en-US\fontdrvhost.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\DigitalLocker\en-US\5b884080fd4f94 C:\driversessioncrt\winRefMonitor.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\driversessioncrt\winRefMonitor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings C:\Windows\CbsTemp\sppsvc.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A
N/A N/A C:\Windows\CbsTemp\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\driversessioncrt\winRefMonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CbsTemp\sppsvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 4852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 4852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 4852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 4852 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 4064 wrote to memory of 1636 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 4064 wrote to memory of 1636 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 1636 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1636 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4852 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3944 N/A C:\Windows\System32\cmd.exe C:\Windows\CbsTemp\sppsvc.exe
PID 1636 wrote to memory of 3944 N/A C:\Windows\System32\cmd.exe C:\Windows\CbsTemp\sppsvc.exe
PID 3944 wrote to memory of 1376 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 1376 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 4564 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 4564 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1376 wrote to memory of 1884 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 1376 wrote to memory of 1884 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 1884 wrote to memory of 812 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1884 wrote to memory of 812 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1884 wrote to memory of 5064 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1884 wrote to memory of 5064 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 812 wrote to memory of 3176 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 812 wrote to memory of 3176 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 3176 wrote to memory of 3592 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3176 wrote to memory of 3592 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3176 wrote to memory of 4976 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3176 wrote to memory of 4976 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3592 wrote to memory of 4432 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 3592 wrote to memory of 4432 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 4432 wrote to memory of 4160 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4432 wrote to memory of 4160 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4432 wrote to memory of 3396 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4432 wrote to memory of 3396 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4160 wrote to memory of 1716 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 4160 wrote to memory of 1716 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 1716 wrote to memory of 2852 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1716 wrote to memory of 2852 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1716 wrote to memory of 4492 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1716 wrote to memory of 4492 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2852 wrote to memory of 4676 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 2852 wrote to memory of 4676 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 4676 wrote to memory of 1384 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4676 wrote to memory of 1384 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4676 wrote to memory of 3704 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4676 wrote to memory of 3704 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1384 wrote to memory of 532 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 1384 wrote to memory of 532 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 532 wrote to memory of 4852 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 532 wrote to memory of 4852 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 532 wrote to memory of 4052 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 532 wrote to memory of 4052 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4852 wrote to memory of 740 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 4852 wrote to memory of 740 N/A C:\Windows\System32\WScript.exe C:\Windows\CbsTemp\sppsvc.exe
PID 740 wrote to memory of 3012 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe
PID 740 wrote to memory of 3012 N/A C:\Windows\CbsTemp\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\CbsTemp\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "

C:\driversessioncrt\winRefMonitor.exe

"C:\driversessioncrt\winRefMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\{180A80A8-ED4A-42B6-A70F-990BB5D03364}\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\driversessioncrt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4dawC7zntr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\CbsTemp\sppsvc.exe

"C:\Windows\CbsTemp\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c03230-0cda-40b9-a22a-7eb2ef881c70.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34bd29d7-a25c-4cd3-9463-8b98a96b2958.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6255feca-8eea-48fe-9e78-c46733273804.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d82c474-4950-4bb2-b272-cc4be1f5bfd0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0adcba0-2998-4cc3-a212-0e965ded242c.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1d2063-8252-4ead-8920-eaad7f8e1802.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\073f376f-ded4-40b9-b7fe-d46f112e1884.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fda44d9-cde8-45a2-bd63-2adb96f3b438.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b888ed-d9a6-459d-ac45-6d9713b76875.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\647596ca-851c-4574-a46d-4443b39e168e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3a2a3b-4646-4bf7-a541-1f79980fddc3.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fac16e73-ff57-44f5-9727-f60b606e5f90.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d82b782-fe67-48fc-8ec6-01bb1840bd9b.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b703ae-ae96-4a51-9cd5-ad50b596d704.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a55438d-bcc8-4712-9c67-735eac7b212d.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16dac168-a431-4c4f-b6a2-8ee789555481.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64905966-98d5-4adb-8756-374607d03e5f.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a272f8a2-f8fa-4713-8e62-1a5a30d51efc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\620f32a2-4845-4af9-b69a-1e3027b0a8c0.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5c137ff-c275-4a22-89aa-44938c686f1a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0174bee6-d263-4e4f-93af-522f35c4b8fc.vbs"

C:\Windows\CbsTemp\sppsvc.exe

C:\Windows\CbsTemp\sppsvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 49.86.100.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 37.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.23.21.2.in-addr.arpa udp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.37:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.145.30:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.145.14.145.in-addr.arpa udp
US 145.14.145.30:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.30:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.30:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.30:80 tool5245636476.000webhostapp.com tcp

Files

memory/3052-0-0x00000000004C0000-0x00000000008E8000-memory.dmp

C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

MD5 d7664d494b1b6e05334ada9accc57d06
SHA1 2cc50d284a600e30287fdef5efe56a586199eb28
SHA256 531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA512 7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

memory/3052-13-0x00000000004C0000-0x00000000008E8000-memory.dmp

C:\driversessioncrt\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

MD5 40a5023d150998b4ba256dd94ea31230
SHA1 36702bfd3e71b3495e61ea589003bb856b959aca
SHA256 e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA512 6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4064-19-0x00000000000C0000-0x000000000042A000-memory.dmp

memory/4064-20-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/4064-21-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

memory/4064-22-0x0000000002500000-0x000000000250E000-memory.dmp

memory/4064-23-0x0000000002510000-0x000000000251E000-memory.dmp

memory/4064-24-0x0000000002570000-0x0000000002578000-memory.dmp

memory/4064-25-0x0000000002580000-0x000000000259C000-memory.dmp

memory/4064-26-0x000000001B010000-0x000000001B060000-memory.dmp

memory/4064-28-0x00000000025B0000-0x00000000025C0000-memory.dmp

memory/4064-27-0x00000000025A0000-0x00000000025A8000-memory.dmp

memory/4064-29-0x00000000025C0000-0x00000000025D6000-memory.dmp

memory/4064-30-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

memory/4064-31-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

memory/4064-32-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

memory/4064-33-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

memory/4064-34-0x000000001B000000-0x000000001B010000-memory.dmp

memory/4064-35-0x000000001B060000-0x000000001B06A000-memory.dmp

memory/4064-36-0x000000001B8C0000-0x000000001B916000-memory.dmp

memory/4064-37-0x0000000002530000-0x000000000253C000-memory.dmp

memory/4064-38-0x0000000002540000-0x0000000002548000-memory.dmp

memory/4064-39-0x0000000002550000-0x000000000255C000-memory.dmp

memory/4064-40-0x0000000002560000-0x0000000002568000-memory.dmp

memory/4064-41-0x000000001B070000-0x000000001B082000-memory.dmp

memory/4064-42-0x000000001BE40000-0x000000001C368000-memory.dmp

memory/4064-43-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

memory/4064-44-0x000000001B910000-0x000000001B91C000-memory.dmp

memory/4064-45-0x000000001B920000-0x000000001B928000-memory.dmp

memory/4064-46-0x000000001B930000-0x000000001B93C000-memory.dmp

memory/4064-47-0x000000001B940000-0x000000001B94C000-memory.dmp

memory/4064-48-0x000000001BB50000-0x000000001BB58000-memory.dmp

memory/4064-49-0x000000001BC60000-0x000000001BC6C000-memory.dmp

memory/4064-50-0x000000001BB60000-0x000000001BB6A000-memory.dmp

memory/4064-51-0x000000001BB70000-0x000000001BB7E000-memory.dmp

memory/4064-52-0x000000001BB80000-0x000000001BB88000-memory.dmp

memory/4064-53-0x000000001BB90000-0x000000001BB9E000-memory.dmp

memory/4064-54-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

memory/4064-55-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

memory/4064-56-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

memory/4064-57-0x000000001BBD0000-0x000000001BBDA000-memory.dmp

memory/4064-58-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

C:\Recovery\WindowsRE\System.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4064-98-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4dawC7zntr.bat

MD5 bf703388a4b39ef8a948394b8775f6e3
SHA1 d240f2900c87b932d6db7889164248df288902c3
SHA256 a494b811cd994efdb6471818578373fa96246bcc2e0dcde0abbe6df7a64dcdd2
SHA512 0716772857217ff92dd35c5bfd648f70a7d1483ef95a6aeb1f1bb66e5102fe0b68eb1cac65ba8d5bf690bdb5177d45d3d68d0614c6ba160adc2bff6b7eb9f8d8

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3944-103-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/3944-104-0x000000001BB90000-0x000000001BBA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49c03230-0cda-40b9-a22a-7eb2ef881c70.vbs

MD5 fd181e405acd701fa96881d4ce0bcc9e
SHA1 e072a5f5c607e68792e1c8654273604697cb8a2b
SHA256 7245e0da5f770c70306b0f59c71a317c4a592538a9568b208fac638c341646b0
SHA512 d9effdba34777efbeeab43d1eff646f1e6709a9e975f6ec59cabad2997555123032fc172a7c2f668f4ec69372971ee2006084292237b6188925973b05cf40da7

C:\Users\Admin\AppData\Local\Temp\34bd29d7-a25c-4cd3-9463-8b98a96b2958.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

memory/3944-115-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

memory/1884-118-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/1884-119-0x000000001B260000-0x000000001B270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

C:\Users\Admin\AppData\Local\Temp\6255feca-8eea-48fe-9e78-c46733273804.vbs

MD5 836eb0eb0627d4ace3c50c48098e08b5
SHA1 b5db99c9b166b354f84f5919b130c088f3e595b5
SHA256 6eba10f0c75e6c7854f60d3bbaa7f5645cccdb15aff0d47432fccb7760ee6259
SHA512 fb72a7f53bf18738f84c13e852f656a60fc2853a565640786d0402438c2b69fd975f3a3d772265eb3a14fc16f3b5d1a3e3f28bd8d8ee782349d26b79eacd293a

C:\Users\Admin\AppData\Local\Temp\547ec857-57a5-49fc-ada9-8c05654c2f21.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

memory/1884-130-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3176-133-0x000000001B0A0000-0x000000001B0B0000-memory.dmp

memory/3176-132-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/3176-134-0x0000000002660000-0x0000000002672000-memory.dmp

memory/3176-135-0x000000001B100000-0x000000001B156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\1d82c474-4950-4bb2-b272-cc4be1f5bfd0.vbs

MD5 226086e0b064c005fde1eeff83f159c6
SHA1 30c9c8b259fbcf65d12cbeaea5b452dad258b429
SHA256 f04132abf5325cd38a7ebb1f1d20cc0dae15ba680646dc27ea227955aab34295
SHA512 fd279aefc20bf6d3ff4ea0bccf3c178e324288ea15c8d183fb1703aecf6d5e04f7ff856f950c9c01972089cafa009d5ba5c550d774802818afd82c909149d8a0

C:\Users\Admin\AppData\Local\Temp\a0adcba0-2998-4cc3-a212-0e965ded242c.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

memory/3176-146-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4432-148-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/4432-149-0x000000001B320000-0x000000001B330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\0d1d2063-8252-4ead-8920-eaad7f8e1802.vbs

MD5 efaa724b56bc41736f4d8a924ecbf4ae
SHA1 f26f602ace9fba99400a83248a0dacc54ca48405
SHA256 3373f944abf5b7d677c519d43fe8a5c569d9108625ed4d59caecd01c1e175024
SHA512 b37e705c5ebd9a268404fab6d8ab68681da438db6f7eca90a87029d54e06b5e840e10096c43ba6ca091971b47ee2e9df6521d3e4fd75f16b3a3f911356051ff3

C:\Users\Admin\AppData\Local\Temp\073f376f-ded4-40b9-b7fe-d46f112e1884.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

memory/4432-160-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1716-162-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\7fda44d9-cde8-45a2-bd63-2adb96f3b438.vbs

MD5 1bdc160398e3e6b1a1d4ebe9d8967fc8
SHA1 aaff089f4474d168ee17cfe6416920237706f8ef
SHA256 d32c8b9cb646f52095b5a15cf6852e682aee2a4aa48a490b1d9144e1f1e480d0
SHA512 e461847bcc048f9c1a35785c12bd916652760444b1fad76c8d3e63fac734100af803e461743fb6f0f7ad271f2f22350e8ae469960594d499aaafabf842f59160

C:\Users\Admin\AppData\Local\Temp\55b888ed-d9a6-459d-ac45-6d9713b76875.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

memory/1716-173-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4676-175-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/4676-176-0x000000001B160000-0x000000001B172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\647596ca-851c-4574-a46d-4443b39e168e.vbs

MD5 7bdb6ec84b384161ad22b02b62815228
SHA1 2c191a2bf0238a9ff3a651997952895118da6c61
SHA256 085b24de0e5ba69c59489b8e4af9db6c01d1ad3e3238b74df141f403d8551593
SHA512 9b9bdec3627b206e968292555a6fbbfe5431861cefc4efc85c93afc0dc6286beb61210b31e4909f5af9162599972c35175bff5f5686ca8a53be8d70c3acbdbcc

C:\Users\Admin\AppData\Local\Temp\9f3a2a3b-4646-4bf7-a541-1f79980fddc3.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

memory/4676-187-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/532-189-0x00007FFBA9E90000-0x00007FFBAA951000-memory.dmp

memory/532-190-0x000000001BE50000-0x000000001BE60000-memory.dmp

memory/532-191-0x000000001BE10000-0x000000001BE22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2d82b782-fe67-48fc-8ec6-01bb1840bd9b.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

C:\Users\Admin\AppData\Local\Temp\fac16e73-ff57-44f5-9727-f60b606e5f90.vbs

MD5 85e9d47282a9082a6efa7b600fce6995
SHA1 88995d07d4ade929030c712aa95ff58f11e5b051
SHA256 c2be94438c2270a44c0f75bb5ae3647532fbc3743982b635303b39a277058a27
SHA512 ee70a0f6664bade0fb498ab72d2edb89c20dd00a373ac824ac2d19a8285d754d9da008b9f6ea6b16fb1ec1c93d28c47630e49da2dfc1f8fa4b48b963e28cf808

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\59b703ae-ae96-4a51-9cd5-ad50b596d704.vbs

MD5 7e02b28556e955178620a4920de922eb
SHA1 431bfedf4ee084592410826a1c1353e9b505a8a6
SHA256 d43954359edb407d78127fef7fdfe2ec87fd0f48c6444176d9475e3ae377eaf6
SHA512 dc8dc444df3ca6f1428714f5213501392fbd4c2fbd6e7a55dd640009e5083ac627dd9c442c5668ada06c5cc90bc36858818e20c80188b74142b133525e826ce5

C:\Users\Admin\AppData\Local\Temp\7a55438d-bcc8-4712-9c67-735eac7b212d.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\16dac168-a431-4c4f-b6a2-8ee789555481.vbs

MD5 f0c39e58d1c922d42f5e6d6995a549e9
SHA1 b5b2ddc8250238891fbca778114efa273d77d79d
SHA256 c2ae7bbce1b936285eb02ae052c78c504c204dcddecebb0a48478e89155290e1
SHA512 db860f937adcdfae724e61a47b5705772f63b30dec2e6175c6e48ebd74a3d71f1bf2b1a8e99e2f65e608ff6ec1b41aa3da49581f688110ea750d3317aefe2d9d

C:\Users\Admin\AppData\Local\Temp\64905966-98d5-4adb-8756-374607d03e5f.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\a272f8a2-f8fa-4713-8e62-1a5a30d51efc.vbs

MD5 553136ac84406057d285bf24e7c3716b
SHA1 d4348d5677b4991b010e83440e3035f558656bbf
SHA256 aac2345cbd6bd428ffddfeb07550b1f897c38f8874a2f4616b442c49adceac3b
SHA512 4f366a4cb692a765bb1bc0c3809f5016353db9f72fd1375034ada166f4329dd0da17b38ea5efbd20e9eb66e5231ea8ecb981a3bf427ca4912129870f1ab4b790

C:\Users\Admin\AppData\Local\Temp\620f32a2-4845-4af9-b69a-1e3027b0a8c0.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\54de4bac8236bf9aef90a1f399337b5f55595a34.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\f5c137ff-c275-4a22-89aa-44938c686f1a.vbs

MD5 7514c53493f24b8bd438620d805807d1
SHA1 45b267248f0da0e873fd8aa30f487dc31e22b757
SHA256 b57ce882ca1069f7e0b95960f197b2483fda794b5d13aceeeb6d0fb75846b893
SHA512 6131a050b704b1cf1b1d11ce57b7aa033513d87e20a7fa7d2950a6e371dc2284bed1c745f39585d59af7a06c3c3010b43df385b63d35cd847d767ef029dea881

C:\Users\Admin\AppData\Local\Temp\0174bee6-d263-4e4f-93af-522f35c4b8fc.vbs

MD5 75fe9a54cb7e3a10162044b51a648ea4
SHA1 1ee335a8b62888134098c978796e9b04f154c98f
SHA256 54dfcc0021d3d9fb8216da96a6da44a15f0388c1963973783817d61a0c11bd44
SHA512 581d4a368f82b2e7b87046ce4534f87fac08bc36be482066eeeeb86020c6be8b25a7682c7c4bc90b552edba12fe1f451f7d3128e163248922290fa346fae10f6

C:\Windows\CbsTemp\sppsvc.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44