Analysis Overview
SHA256
e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
Threat Level: Known bad
The file 0924b9eca922c9227c4f426be5174bae.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
UAC bypass
DCRat payload
DCRat payload
Disables Task Manager via registry modification
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry key
System policy modification
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 01:02
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 01:02
Reported
2023-12-07 01:04
Platform
win7-20231130-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\", \"C:\\driversessioncrt\\WmiPrvSE.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\driversessioncrt\winRefMonitor.exe | N/A |
| N/A | N/A | C:\driversessioncrt\winRefMonitor.exe | N/A |
| N/A | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Resources\\Themes\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Resources\\Themes\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\driversessioncrt\\taskhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\tracing\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Logs\\DPX\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\driversessioncrt\\taskhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Logs\\DPX\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driversessioncrt\\audiodg.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\driversessioncrt\\WmiPrvSE.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\driversessioncrt\\WmiPrvSE.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driversessioncrt\\audiodg.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\tracing\\System.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\lsm.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\101b941d020240 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\Themes\lsm.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\tracing\27d1bcfc3c54e0 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\Logs\DPX\27d1bcfc3c54e0 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\Resources\Themes\lsm.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\Resources\Themes\101b941d020240 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\tracing\System.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\Logs\DPX\System.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\ja-JP\System.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\ja-JP\System.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 | C:\driversessioncrt\winRefMonitor.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\driversessioncrt\WmiPrvSE.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\WmiPrvSE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe
"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "
C:\driversessioncrt\winRefMonitor.exe
"C:\driversessioncrt\winRefMonitor.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\driversessioncrt\winRefMonitor.exe
"C:\driversessioncrt\winRefMonitor.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\driversessioncrt\WmiPrvSE.exe
"C:\driversessioncrt\WmiPrvSE.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs"
C:\driversessioncrt\WmiPrvSE.exe
C:\driversessioncrt\WmiPrvSE.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs"
C:\driversessioncrt\WmiPrvSE.exe
C:\driversessioncrt\WmiPrvSE.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs"
C:\driversessioncrt\WmiPrvSE.exe
C:\driversessioncrt\WmiPrvSE.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs"
C:\driversessioncrt\WmiPrvSE.exe
C:\driversessioncrt\WmiPrvSE.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tool5245636476.000webhostapp.com | udp |
| US | 145.14.144.249:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.144.249:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.144.249:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.144.249:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | tool5245636476.000webhostapp.com | udp |
| US | 145.14.145.163:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.145.163:80 | tool5245636476.000webhostapp.com | tcp |
Files
memory/3052-0-0x00000000012C0000-0x00000000016E8000-memory.dmp
memory/3052-12-0x00000000012C0000-0x00000000016E8000-memory.dmp
C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe
| MD5 | d7664d494b1b6e05334ada9accc57d06 |
| SHA1 | 2cc50d284a600e30287fdef5efe56a586199eb28 |
| SHA256 | 531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6 |
| SHA512 | 7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6 |
C:\driversessioncrt\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat
| MD5 | 40a5023d150998b4ba256dd94ea31230 |
| SHA1 | 36702bfd3e71b3495e61ea589003bb856b959aca |
| SHA256 | e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc |
| SHA512 | 6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15 |
\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/2600-21-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
memory/2600-20-0x0000000000900000-0x0000000000C6A000-memory.dmp
memory/2600-22-0x000000001B100000-0x000000001B180000-memory.dmp
memory/2600-23-0x0000000000440000-0x000000000044E000-memory.dmp
memory/2600-24-0x0000000000450000-0x000000000045E000-memory.dmp
memory/2600-25-0x00000000005E0000-0x00000000005E8000-memory.dmp
memory/2600-26-0x00000000008A0000-0x00000000008BC000-memory.dmp
memory/2600-27-0x00000000005F0000-0x00000000005F8000-memory.dmp
memory/2600-28-0x00000000008C0000-0x00000000008D0000-memory.dmp
memory/2600-29-0x00000000008D0000-0x00000000008E6000-memory.dmp
memory/2600-30-0x00000000008F0000-0x00000000008F8000-memory.dmp
memory/2600-31-0x0000000002200000-0x0000000002212000-memory.dmp
memory/2600-32-0x0000000002210000-0x000000000221C000-memory.dmp
memory/2600-33-0x0000000002220000-0x0000000002228000-memory.dmp
memory/2600-34-0x0000000002230000-0x0000000002240000-memory.dmp
memory/2600-35-0x0000000002240000-0x000000000224A000-memory.dmp
memory/2600-36-0x00000000022E0000-0x0000000002336000-memory.dmp
memory/2600-37-0x0000000002250000-0x000000000225C000-memory.dmp
memory/2600-38-0x00000000023B0000-0x00000000023B8000-memory.dmp
memory/2600-39-0x00000000023C0000-0x00000000023CC000-memory.dmp
memory/2600-40-0x00000000023D0000-0x00000000023D8000-memory.dmp
memory/2600-41-0x00000000023E0000-0x00000000023F2000-memory.dmp
memory/2600-42-0x0000000002410000-0x000000000241C000-memory.dmp
memory/2600-43-0x0000000002420000-0x000000000242C000-memory.dmp
memory/2600-44-0x000000001A9C0000-0x000000001A9C8000-memory.dmp
memory/2600-45-0x000000001A9D0000-0x000000001A9DC000-memory.dmp
memory/2600-46-0x000000001A9E0000-0x000000001A9EC000-memory.dmp
memory/2600-47-0x000000001A9F0000-0x000000001A9F8000-memory.dmp
memory/2600-48-0x000000001AF30000-0x000000001AF3C000-memory.dmp
memory/2600-49-0x000000001AF40000-0x000000001AF4A000-memory.dmp
memory/2600-50-0x000000001AF50000-0x000000001AF5E000-memory.dmp
memory/2600-51-0x000000001AF60000-0x000000001AF68000-memory.dmp
memory/2600-52-0x000000001AF70000-0x000000001AF7E000-memory.dmp
memory/2600-53-0x000000001AF80000-0x000000001AF88000-memory.dmp
memory/2600-54-0x000000001AF90000-0x000000001AF9C000-memory.dmp
memory/2600-55-0x000000001AFA0000-0x000000001AFA8000-memory.dmp
memory/2600-56-0x000000001B0B0000-0x000000001B0BA000-memory.dmp
memory/2600-57-0x000000001B0C0000-0x000000001B0CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat
| MD5 | 0bc99b36ffd928554df8059cdad89664 |
| SHA1 | 3250fc8aecbfa46eb5f9e621daa123fc235e4fdd |
| SHA256 | afd56dd8bc6fb82b10e83ccc91fb6403e5b6e4c1f2ac180152afe53e3606244d |
| SHA512 | d0a97728914bdc6bd64056377e1ef654ab08dc92327f509a3f4d9e8a302987502c34262febdb4fca8ae7a0c1725258a9cadd0a25cd5db29d9d91dce1de7b8ae6 |
memory/2600-67-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
C:\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1704-70-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp
memory/1704-69-0x0000000000C70000-0x0000000000FDA000-memory.dmp
memory/1704-71-0x000000001B090000-0x000000001B110000-memory.dmp
memory/1704-72-0x0000000000B20000-0x0000000000B32000-memory.dmp
memory/1704-73-0x00000000024F0000-0x0000000002546000-memory.dmp
C:\Windows\Resources\Themes\lsm.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat
| MD5 | 58f7105be112bc3a14fdcb21145cd649 |
| SHA1 | 608e43e9aa73e65e31003e492b874f8735fc9365 |
| SHA256 | 6bf9d10f6e7f0dbd1318881e20bf34b98088a29e3c68a45350576e4be26a790c |
| SHA512 | 31cb23a1ad61955ce562148f71a3a9ef8d61a116722c7d32849a285a4cb6cab41351e43afdd03b87ad5241134440ebd62494e8cf55bb3316455eca26fdfd5950 |
memory/1704-103-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp
C:\driversessioncrt\WmiPrvSE.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\driversessioncrt\WmiPrvSE.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/2608-107-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
memory/2608-106-0x0000000000180000-0x00000000004EA000-memory.dmp
memory/2608-108-0x000000001AB90000-0x000000001AC10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs
| MD5 | 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53 |
| SHA1 | eb903b8b7d92a1ce784d9f615be419726326a5f3 |
| SHA256 | e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9 |
| SHA512 | aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7 |
C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs
| MD5 | 0aec6349b4d56d44e28c77c8c5405463 |
| SHA1 | 4556a90d3c5b6f0897a51504e1f01d1ec6c94dc4 |
| SHA256 | 2661308329712c966dcb8d79036d4f9d67f6c3454142518921a6e34db21d0f5d |
| SHA512 | e6ed17f22ff45c2d0387f112bcdc340ee51df16fb1e594eb2822083ba035332c9b1feb1f02ae8b7d474ca8dfa1fadf95834669e720ccab7dbd051fdecdf678e0 |
memory/2608-118-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
memory/2608-119-0x000000001AB90000-0x000000001AC10000-memory.dmp
memory/2608-120-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
C:\driversessioncrt\WmiPrvSE.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1228-122-0x0000000000150000-0x00000000004BA000-memory.dmp
memory/1228-123-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
memory/1228-124-0x000000001B3B0000-0x000000001B430000-memory.dmp
memory/1228-125-0x00000000008E0000-0x00000000008F2000-memory.dmp
memory/1228-126-0x00000000009B0000-0x00000000009C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs
| MD5 | 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53 |
| SHA1 | eb903b8b7d92a1ce784d9f615be419726326a5f3 |
| SHA256 | e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9 |
| SHA512 | aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7 |
C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs
| MD5 | 2b95c1c6867ffbe2930f9d719d56d416 |
| SHA1 | 9e93ce929fa91d21836341c2dcbfb4553bd8cecd |
| SHA256 | dfab9690789d887b9391c971424f5a823ffe72d8694d37713eb1e73f3aede646 |
| SHA512 | 41ff5b2ee04e4e07cee4dbc7c2702e5bed9bfb2385dd06f02ed1833c87b33f67b1066ccba65e4c826292273f7e9a4ece19d0c998fcddbb209f432daaa29d0e86 |
C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs
| MD5 | 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53 |
| SHA1 | eb903b8b7d92a1ce784d9f615be419726326a5f3 |
| SHA256 | e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9 |
| SHA512 | aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7 |
C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1228-137-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
memory/1228-138-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
C:\driversessioncrt\WmiPrvSE.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1156-140-0x0000000001070000-0x00000000013DA000-memory.dmp
memory/1156-141-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
memory/1156-142-0x0000000000740000-0x0000000000752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs
| MD5 | 3ac74fe9a39410eddf94b58512e53818 |
| SHA1 | 6b50a212f305ee9a36cf0cbd49c3409c6842d1e2 |
| SHA256 | 81a10f3c0549fdd5f9e8a87fff6a3b6730089afc189679c0ec7594da2c39dee9 |
| SHA512 | bfae59ea84604a9f061137e52df1cb99971d6ff9404f8b4663c5147a8812c2c647ec6b8c0d77b5bcb48deb99c506aa2867aa27897abfebd287a4471966cbd0e5 |
C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs
| MD5 | 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53 |
| SHA1 | eb903b8b7d92a1ce784d9f615be419726326a5f3 |
| SHA256 | e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9 |
| SHA512 | aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7 |
memory/1156-153-0x000007FEF5840000-0x000007FEF622C000-memory.dmp
C:\driversessioncrt\WmiPrvSE.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/2560-155-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs
| MD5 | 511ee97dc9e9de1a531bc3a6337e6680 |
| SHA1 | 2b9ec24ca8b6435b6a715a5f7e7f6f8a4bca5c0c |
| SHA256 | dfaa0931ae6e3bac5a769962a523f9029734c2ff5bf85d348ea269300029be58 |
| SHA512 | 22d0fc3c89b54461fdd8e0ab1220368e7d9e154914624adda620699ccc1221671ff04b847a888db4d926a5b3eca957bbba3990d9c80037702fc36927b45690ef |
C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs
| MD5 | 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53 |
| SHA1 | eb903b8b7d92a1ce784d9f615be419726326a5f3 |
| SHA256 | e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9 |
| SHA512 | aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7 |
C:\driversessioncrt\WmiPrvSE.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs
| MD5 | 88137f82f4e244a665d2ccc03aacb609 |
| SHA1 | 70b4c2dbcf3fd3eae9bfd9cbfdf9c13d4872116e |
| SHA256 | 83eb170234daf01456c7875f9c8e9f9f1349aea5c10ac872aab080b95bf3f699 |
| SHA512 | 81424ae9c795fb2106384e16746d1c4701a4b6b2b8f79e522a458b6d9750232f6532e39887d949f23a1b816e9c37b7077a2052d5dffb374188194f7fce303208 |
C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs
| MD5 | 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53 |
| SHA1 | eb903b8b7d92a1ce784d9f615be419726326a5f3 |
| SHA256 | e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9 |
| SHA512 | aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 01:02
Reported
2023-12-07 01:05
Platform
win10v2004-20231127-en
Max time kernel
154s
Max time network
162s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\dwm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\driversessioncrt\winRefMonitor.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Uninstall Information\\dwm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Uninstall Information\\dwm.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" | C:\driversessioncrt\winRefMonitor.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Uninstall Information\6cb0b6c459d5d3 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\Windows Defender\de-DE\56085415360792 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\088424020bedd6 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\en-US\5b884080fd4f94 | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\Windows Defender\de-DE\wininit.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\Uninstall Information\dwm.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File created | C:\Program Files\ModifiableWindowsApps\Registry.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | C:\driversessioncrt\winRefMonitor.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\driversessioncrt\winRefMonitor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe
"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "
C:\driversessioncrt\winRefMonitor.exe
"C:\driversessioncrt\winRefMonitor.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c27bbc71-6775-4ee3-b607-e84b32aee802.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac64032d-c22d-4c37-9054-5ed1672efd3c.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c4cd8d-5d6d-49ad-b0b6-52c857eb6ea0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6456acd-8ee4-40f0-addb-79668c1996a8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090a44c2-b0f8-4bf4-9980-3d2ed75a7616.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4776bb40-6d7d-44cd-9e4a-4dcdb921d473.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e34886-9c93-4c6e-b82f-34be045332b1.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\184d4178-ba22-4563-a801-e33d6a7c8ad6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cce3b71-ce66-4372-94be-b5aebb138519.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d3db136-1657-4ca0-8b00-ae6796820123.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764ef9f6-e6cf-4189-b8ee-7d7c7994f828.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec08751-b681-4bac-b1a8-e4999c98d8a1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38beff78-6db4-4ad3-ae73-da695f383ddd.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ec852f-af23-4b1c-ac53-2bdedec689fc.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7844476-8e4e-4b7e-bc3f-79454c661585.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb0f8bc6-5270-4044-9174-c7fe08174d44.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3513ed5e-cc76-41ce-a2f3-c6f08a8c2a80.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd89738d-0af5-4f1d-a4a5-792869bf4983.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84fed986-2aac-4175-ae87-4e2519289131.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8188d727-d87d-46f7-977a-3e813f00fb3b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\119fbecb-e36d-415d-af22-f4a47140160a.vbs"
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tool5245636476.000webhostapp.com | udp |
| US | 145.14.144.70:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 70.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.23.21.2.in-addr.arpa | udp |
| US | 145.14.144.70:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.144.70:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 55.86.100.95.in-addr.arpa | udp |
| US | 145.14.144.70:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | tool5245636476.000webhostapp.com | udp |
| US | 145.14.145.234:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 234.145.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 145.14.145.234:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.145.234:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 145.14.145.234:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.145.234:80 | tool5245636476.000webhostapp.com | tcp |
| US | 145.14.145.234:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tool5245636476.000webhostapp.com | udp |
| US | 145.14.144.9:80 | tool5245636476.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 9.144.14.145.in-addr.arpa | udp |
Files
memory/2956-0-0x0000000000860000-0x0000000000C88000-memory.dmp
memory/2956-12-0x0000000000860000-0x0000000000C88000-memory.dmp
C:\driversessioncrt\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe
| MD5 | d7664d494b1b6e05334ada9accc57d06 |
| SHA1 | 2cc50d284a600e30287fdef5efe56a586199eb28 |
| SHA256 | 531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6 |
| SHA512 | 7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6 |
C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat
| MD5 | 40a5023d150998b4ba256dd94ea31230 |
| SHA1 | 36702bfd3e71b3495e61ea589003bb856b959aca |
| SHA256 | e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc |
| SHA512 | 6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15 |
C:\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\driversessioncrt\winRefMonitor.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/408-19-0x00000000008A0000-0x0000000000C0A000-memory.dmp
memory/408-20-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp
memory/408-21-0x00000000014D0000-0x00000000014E0000-memory.dmp
memory/408-22-0x00000000014E0000-0x00000000014EE000-memory.dmp
memory/408-23-0x00000000014F0000-0x00000000014FE000-memory.dmp
memory/408-24-0x0000000001500000-0x0000000001508000-memory.dmp
memory/408-25-0x0000000002D50000-0x0000000002D6C000-memory.dmp
memory/408-26-0x0000000002DE0000-0x0000000002E30000-memory.dmp
memory/408-27-0x0000000002D70000-0x0000000002D78000-memory.dmp
memory/408-28-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/408-29-0x0000000002DA0000-0x0000000002DB6000-memory.dmp
memory/408-30-0x0000000002DC0000-0x0000000002DC8000-memory.dmp
memory/408-31-0x0000000002DD0000-0x0000000002DE2000-memory.dmp
memory/408-32-0x0000000002E50000-0x0000000002E5C000-memory.dmp
memory/408-33-0x0000000002D10000-0x0000000002D18000-memory.dmp
memory/408-34-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/408-35-0x0000000002D30000-0x0000000002D3A000-memory.dmp
memory/408-36-0x000000001B940000-0x000000001B996000-memory.dmp
memory/408-37-0x0000000002D40000-0x0000000002D4C000-memory.dmp
memory/408-38-0x0000000002E30000-0x0000000002E38000-memory.dmp
memory/408-39-0x0000000002E40000-0x0000000002E4C000-memory.dmp
memory/408-40-0x000000001B990000-0x000000001B998000-memory.dmp
memory/408-41-0x000000001B9A0000-0x000000001B9B2000-memory.dmp
memory/408-42-0x000000001C610000-0x000000001CB38000-memory.dmp
memory/408-43-0x000000001C0E0000-0x000000001C0EC000-memory.dmp
memory/408-44-0x000000001C0F0000-0x000000001C0FC000-memory.dmp
memory/408-46-0x000000001C110000-0x000000001C11C000-memory.dmp
memory/408-45-0x000000001C100000-0x000000001C108000-memory.dmp
memory/408-47-0x000000001C120000-0x000000001C12C000-memory.dmp
memory/408-49-0x000000001C440000-0x000000001C44C000-memory.dmp
memory/408-48-0x000000001C330000-0x000000001C338000-memory.dmp
memory/408-50-0x000000001C340000-0x000000001C34A000-memory.dmp
memory/408-51-0x000000001C350000-0x000000001C35E000-memory.dmp
memory/408-52-0x000000001C360000-0x000000001C368000-memory.dmp
memory/408-53-0x000000001C370000-0x000000001C37E000-memory.dmp
memory/408-56-0x000000001C3A0000-0x000000001C3A8000-memory.dmp
memory/408-57-0x000000001C3B0000-0x000000001C3BA000-memory.dmp
memory/408-55-0x000000001C390000-0x000000001C39C000-memory.dmp
memory/408-54-0x000000001C380000-0x000000001C388000-memory.dmp
memory/408-58-0x000000001C3C0000-0x000000001C3CC000-memory.dmp
C:\Recovery\WindowsRE\Registry.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/408-88-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp
memory/860-89-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp
memory/860-90-0x000000001B7F0000-0x000000001B800000-memory.dmp
memory/860-91-0x000000001B7E0000-0x000000001B7F2000-memory.dmp
memory/860-92-0x000000001BFB0000-0x000000001BFC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c27bbc71-6775-4ee3-b607-e84b32aee802.vbs
| MD5 | b88d4a3a4b740de33743386189d5158f |
| SHA1 | 8052965de2ac17880fea574168469991027fb252 |
| SHA256 | 8cbefb3f2ec86e130b27011934fdb8d9133f54f5fb97f6c4c0ecf412980440af |
| SHA512 | 98200cd454719e905d9bc89472e5eac7c6a49d2446ccd4476ee8359df28e6385929784a8b7bbadb36e63a3e7957ef152eee4a211ad18808744c3a5c9141403a0 |
C:\Users\Admin\AppData\Local\Temp\ac64032d-c22d-4c37-9054-5ed1672efd3c.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
memory/860-103-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | 49b64127208271d8f797256057d0b006 |
| SHA1 | b99bd7e2b4e9ed24de47fb3341ea67660b84cca1 |
| SHA256 | 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77 |
| SHA512 | f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1748-107-0x000000001B090000-0x000000001B0A0000-memory.dmp
memory/1748-106-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
memory/1748-108-0x0000000002630000-0x0000000002642000-memory.dmp
memory/1748-109-0x000000001AF60000-0x000000001AFB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d0c4cd8d-5d6d-49ad-b0b6-52c857eb6ea0.vbs
| MD5 | 3331e33efbba06546fe247e8ca8a9fd4 |
| SHA1 | 5a1a168c8341965ff0f135af8f0e7ccf15b875a9 |
| SHA256 | ca1866b0ca3e88ac1a094e8c50385c3e3bf98089b6e274eca848728bdd0a0fe2 |
| SHA512 | da73510a632e6000b209cf6e3bde7a891009c19db0465003afc287a4c94a1f9ca5ab6f57d49f695188a7ab13ccc0f76f6afa6df18f856eb32da7aa72e7e0807d |
C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1748-120-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/4852-122-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
memory/4852-123-0x000000001B370000-0x000000001B380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\d6456acd-8ee4-40f0-addb-79668c1996a8.vbs
| MD5 | bddb590cb06ef3328367070b291c5371 |
| SHA1 | 7111891a457e0c78c45000e78f97355dc1bf380c |
| SHA256 | a4eb43a315adc89e7fc602551590acebcddbc4e21cb8ec462dbc2e6b2661d04d |
| SHA512 | 0db89f0642e14dd2b7df5f82602164bc4ce019e19eec3797364b74c5cdf223bf0f5446b96d399964fd90326ec53e4ce1992608f6c8dbf8205aa399b6b71dc59d |
C:\Users\Admin\AppData\Local\Temp\090a44c2-b0f8-4bf4-9980-3d2ed75a7616.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
memory/4852-134-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/3892-136-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
memory/3892-137-0x000000001B4A0000-0x000000001B4B0000-memory.dmp
memory/3892-138-0x000000001B470000-0x000000001B482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\4776bb40-6d7d-44cd-9e4a-4dcdb921d473.vbs
| MD5 | 22ba8b6eaead824d90367fbea994e092 |
| SHA1 | 421abd4b5a45f5432d5edf0521207dd5bebf6375 |
| SHA256 | 2bec7c202af7d671f4b2a6e751f34b1794e32fdd789d110421d338f7bb9b1329 |
| SHA512 | ced137a436d4922b496f09f0021e5705df4a8400386c0068c45e431e40c27e03dd289380a3252b0ce126195ff607bdf70a888c22d7d0d26d82f18ef0525bdf6c |
C:\Users\Admin\AppData\Local\Temp\08e34886-9c93-4c6e-b82f-34be045332b1.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
memory/3892-149-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/1660-151-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
memory/1660-152-0x000000001BBF0000-0x000000001BC00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\184d4178-ba22-4563-a801-e33d6a7c8ad6.vbs
| MD5 | bfc62d491cf261a894d198c90e5d26c0 |
| SHA1 | 77b862afd5d5cd7231d359cafc36f74ec2254fdc |
| SHA256 | 278d0707dcc274d1c9afab447d003ff843ded8ee5cf79fd5ab7d782308e955ce |
| SHA512 | f7b9286ca974e139890add2e1aa52b57692d45db48871cdc786edea1507e28e933f87083c68ffa64d11092ec2ef5fe366b2881efa287f9877bc50a8ebc01bc7f |
C:\Users\Admin\AppData\Local\Temp\6cce3b71-ce66-4372-94be-b5aebb138519.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
memory/1660-163-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
memory/4840-165-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp
memory/4840-166-0x000000001BE60000-0x000000001BE70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\8d3db136-1657-4ca0-8b00-ae6796820123.vbs
| MD5 | a42730509405e9727f077fb1e10f05f6 |
| SHA1 | 66a0fa3d14756369fb2971c1c6702ac19087b54d |
| SHA256 | cbb5ec00a556328b7849141ed2518a6350c8453c1adefff2af7d689b508c0202 |
| SHA512 | d9a92e57630027f4f06120504b62f68b3d755f781969348046f8b70b3c8bb4f481e78593398f81c386d584a287a07fa10114b4f54b4f6cb218b914d85b12c18d |
C:\Users\Admin\AppData\Local\Temp\764ef9f6-e6cf-4189-b8ee-7d7c7994f828.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\1ec08751-b681-4bac-b1a8-e4999c98d8a1.vbs
| MD5 | 0a9d2547efe3231fbeac4a44deb1e72a |
| SHA1 | 145267dc807b45ca21b209dc1cd6703e59f25701 |
| SHA256 | 11e47b8a60f9b0d98c3e6a37c5431413b0b7db0534f04b6764be4ad99362d448 |
| SHA512 | b8cbbea25c4bb8338271f62af8f82b90f0431c86278cab7cb7262fdb2c598b87082f3f35fde1a8792a9ddaab3461649e9d718207358718d3cdc4af602a1a9a2a |
C:\Users\Admin\AppData\Local\Temp\38beff78-6db4-4ad3-ae73-da695f383ddd.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\37ec852f-af23-4b1c-ac53-2bdedec689fc.vbs
| MD5 | 836b4492ae5f4ee9f7401581f1d86069 |
| SHA1 | 9e4c307ef5281b190b2960a94f99a5ff25a1425e |
| SHA256 | 46000e0842c1c0e7d739484b42c6666fd70abbc1712c75eef6389787db08c58a |
| SHA512 | d12e96b076a8d88ac0df7b4b8266ce6f1fe044cc4631f6de1561f862581ed836914e232557699c305dcf4bd04207087426110e766bad788bb2631a1e7f01b44e |
C:\Users\Admin\AppData\Local\Temp\a7844476-8e4e-4b7e-bc3f-79454c661585.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\fb0f8bc6-5270-4044-9174-c7fe08174d44.vbs
| MD5 | c1299601ab47b8eebf141377a418aafa |
| SHA1 | b21e99c9650380f5d0f8fea0a0bbc70e73a52a70 |
| SHA256 | 54c0d8f804324b316adf4bf166e142367097729b91abdb60bae8e5a1303c953f |
| SHA512 | 75c0860a972205294a53f04dcae72db38e294efe76e17a2932fa817e0dedb47cd02ec346f999887451ee9e158d2993efc56f81fe965219897ee8d3b7b224fc9f |
C:\Users\Admin\AppData\Local\Temp\3513ed5e-cc76-41ce-a2f3-c6f08a8c2a80.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\bd89738d-0af5-4f1d-a4a5-792869bf4983.vbs
| MD5 | 9deb15d3a1262b993c5d772b4bce8af8 |
| SHA1 | 01a0698501643eec4e21e1e8eef49e482b07f463 |
| SHA256 | 614eeb4b1e7ec3e81c7059fbb063f82014272f0a5fa6450395c0c4eaf6205486 |
| SHA512 | be7523016dd183615a7c5090bc5d8e7fdd3a98d1cfee2cc482e40c5dc42389f1981ea15c1701e2b0a812749d81741f62e4f0fe69fbe511c57122c7934482028c |
C:\Users\Admin\AppData\Local\Temp\84fed986-2aac-4175-ae87-4e2519289131.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |
C:\Users\Admin\AppData\Local\Temp\8188d727-d87d-46f7-977a-3e813f00fb3b.vbs
| MD5 | a8a73638587c5d3bb27d0f060c7c6bb3 |
| SHA1 | 4aae3c956dd01d03eab172225c05fc02ed45d458 |
| SHA256 | 61566dbfdc8a1512d7e9f400d77cb66faf7a9a615dd863f0aba0db208714ae9c |
| SHA512 | 68117e14d25392c46bd6bad3d00022d8051130ac7f779c92355fdd4fd762b21c8defd57fd196169a45fa0505bf13f7c42cb10a4d3fa02d70f097b16faf06bc3c |
C:\Users\Admin\AppData\Local\Temp\119fbecb-e36d-415d-af22-f4a47140160a.vbs
| MD5 | 18286ed6e5cde0d765057ca3a580182a |
| SHA1 | 9a837e37d932ea7158cacbffe68c91161b73938f |
| SHA256 | 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b |
| SHA512 | 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7 |
C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
| MD5 | 20ec8d347f674ebadc53399ef6aa49cb |
| SHA1 | f418d228eb276f216b4986b55b2c762d11991a31 |
| SHA256 | 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f |
| SHA512 | e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44 |