Malware Analysis Report

2025-08-06 00:35

Sample ID 231207-bdx17aaaa9
Target 0924b9eca922c9227c4f426be5174bae.exe
SHA256 e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8
Tags
dcrat evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2955eb9de3b2d1d49eef7d0ff565d033429f0cb628439ef17571426758f58d8

Threat Level: Known bad

The file 0924b9eca922c9227c4f426be5174bae.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer persistence rat trojan

Dcrat family

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

UAC bypass

DCRat payload

DCRat payload

Disables Task Manager via registry modification

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

System policy modification

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 01:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 01:02

Reported

2023-12-07 01:04

Platform

win7-20231130-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\", \"C:\\driversessioncrt\\WmiPrvSE.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\", \"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\", \"C:\\Windows\\Logs\\DPX\\System.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\", \"C:\\Windows\\Resources\\Themes\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\", \"C:\\driversessioncrt\\audiodg.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\driversessioncrt\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\tracing\\System.exe\", \"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Resources\\Themes\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winRefMonitor = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\winRefMonitor.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Resources\\Themes\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\driversessioncrt\\taskhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\tracing\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Logs\\DPX\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\driversessioncrt\\taskhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Documents\\My Music\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Logs\\DPX\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driversessioncrt\\audiodg.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\cb3b2b82-8fa0-11ee-b553-66adf901a452\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\driversessioncrt\\WmiPrvSE.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\driversessioncrt\\WmiPrvSE.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\driversessioncrt\\audiodg.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\tracing\\System.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\lsm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\lsm.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\101b941d020240 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe C:\driversessioncrt\winRefMonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\lsm.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\tracing\27d1bcfc3c54e0 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\Logs\DPX\27d1bcfc3c54e0 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\Resources\Themes\lsm.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\Resources\Themes\101b941d020240 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\tracing\System.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\Logs\DPX\System.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\System.exe C:\driversessioncrt\winRefMonitor.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\ja-JP\System.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 C:\driversessioncrt\winRefMonitor.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A
N/A N/A C:\driversessioncrt\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\driversessioncrt\winRefMonitor.exe N/A
Token: SeDebugPrivilege N/A C:\driversessioncrt\winRefMonitor.exe N/A
Token: SeDebugPrivilege N/A C:\driversessioncrt\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\driversessioncrt\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\driversessioncrt\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\driversessioncrt\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\driversessioncrt\WmiPrvSE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 3036 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2600 wrote to memory of 2920 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 2600 wrote to memory of 2920 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 2600 wrote to memory of 2920 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2920 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2920 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2672 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2920 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2920 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 2920 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 1704 wrote to memory of 2708 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 2708 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 2708 N/A C:\driversessioncrt\winRefMonitor.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2708 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2708 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\driversessioncrt\WmiPrvSE.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\driversessioncrt\WmiPrvSE.exe
PID 2708 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\driversessioncrt\WmiPrvSE.exe
PID 2608 wrote to memory of 2480 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2480 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2480 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2532 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2532 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2532 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 1228 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 2480 wrote to memory of 1228 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 2480 wrote to memory of 1228 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 1228 wrote to memory of 584 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1228 wrote to memory of 584 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1228 wrote to memory of 584 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1228 wrote to memory of 1720 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1228 wrote to memory of 1720 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1228 wrote to memory of 1720 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 584 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 584 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 584 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 1156 wrote to memory of 2132 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1156 wrote to memory of 2132 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1156 wrote to memory of 2132 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1156 wrote to memory of 1056 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1156 wrote to memory of 1056 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1156 wrote to memory of 1056 N/A C:\driversessioncrt\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2132 wrote to memory of 2560 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe
PID 2132 wrote to memory of 2560 N/A C:\Windows\System32\WScript.exe C:\driversessioncrt\WmiPrvSE.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "

C:\driversessioncrt\winRefMonitor.exe

"C:\driversessioncrt\winRefMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winRefMonitor" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winRefMonitorw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winRefMonitor.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\driversessioncrt\winRefMonitor.exe

"C:\driversessioncrt\winRefMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\driversessioncrt\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\driversessioncrt\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\driversessioncrt\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cb3b2b82-8fa0-11ee-b553-66adf901a452\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Music\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\driversessioncrt\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\driversessioncrt\WmiPrvSE.exe

"C:\driversessioncrt\WmiPrvSE.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs"

C:\driversessioncrt\WmiPrvSE.exe

C:\driversessioncrt\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs"

C:\driversessioncrt\WmiPrvSE.exe

C:\driversessioncrt\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs"

C:\driversessioncrt\WmiPrvSE.exe

C:\driversessioncrt\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs"

C:\driversessioncrt\WmiPrvSE.exe

C:\driversessioncrt\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.249:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.249:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.249:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.249:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.145.163:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.163:80 tool5245636476.000webhostapp.com tcp

Files

memory/3052-0-0x00000000012C0000-0x00000000016E8000-memory.dmp

memory/3052-12-0x00000000012C0000-0x00000000016E8000-memory.dmp

C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

MD5 d7664d494b1b6e05334ada9accc57d06
SHA1 2cc50d284a600e30287fdef5efe56a586199eb28
SHA256 531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA512 7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

C:\driversessioncrt\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

MD5 40a5023d150998b4ba256dd94ea31230
SHA1 36702bfd3e71b3495e61ea589003bb856b959aca
SHA256 e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA512 6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2600-21-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2600-20-0x0000000000900000-0x0000000000C6A000-memory.dmp

memory/2600-22-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2600-23-0x0000000000440000-0x000000000044E000-memory.dmp

memory/2600-24-0x0000000000450000-0x000000000045E000-memory.dmp

memory/2600-25-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/2600-26-0x00000000008A0000-0x00000000008BC000-memory.dmp

memory/2600-27-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2600-28-0x00000000008C0000-0x00000000008D0000-memory.dmp

memory/2600-29-0x00000000008D0000-0x00000000008E6000-memory.dmp

memory/2600-30-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/2600-31-0x0000000002200000-0x0000000002212000-memory.dmp

memory/2600-32-0x0000000002210000-0x000000000221C000-memory.dmp

memory/2600-33-0x0000000002220000-0x0000000002228000-memory.dmp

memory/2600-34-0x0000000002230000-0x0000000002240000-memory.dmp

memory/2600-35-0x0000000002240000-0x000000000224A000-memory.dmp

memory/2600-36-0x00000000022E0000-0x0000000002336000-memory.dmp

memory/2600-37-0x0000000002250000-0x000000000225C000-memory.dmp

memory/2600-38-0x00000000023B0000-0x00000000023B8000-memory.dmp

memory/2600-39-0x00000000023C0000-0x00000000023CC000-memory.dmp

memory/2600-40-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/2600-41-0x00000000023E0000-0x00000000023F2000-memory.dmp

memory/2600-42-0x0000000002410000-0x000000000241C000-memory.dmp

memory/2600-43-0x0000000002420000-0x000000000242C000-memory.dmp

memory/2600-44-0x000000001A9C0000-0x000000001A9C8000-memory.dmp

memory/2600-45-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

memory/2600-46-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

memory/2600-47-0x000000001A9F0000-0x000000001A9F8000-memory.dmp

memory/2600-48-0x000000001AF30000-0x000000001AF3C000-memory.dmp

memory/2600-49-0x000000001AF40000-0x000000001AF4A000-memory.dmp

memory/2600-50-0x000000001AF50000-0x000000001AF5E000-memory.dmp

memory/2600-51-0x000000001AF60000-0x000000001AF68000-memory.dmp

memory/2600-52-0x000000001AF70000-0x000000001AF7E000-memory.dmp

memory/2600-53-0x000000001AF80000-0x000000001AF88000-memory.dmp

memory/2600-54-0x000000001AF90000-0x000000001AF9C000-memory.dmp

memory/2600-55-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

memory/2600-56-0x000000001B0B0000-0x000000001B0BA000-memory.dmp

memory/2600-57-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat

MD5 0bc99b36ffd928554df8059cdad89664
SHA1 3250fc8aecbfa46eb5f9e621daa123fc235e4fdd
SHA256 afd56dd8bc6fb82b10e83ccc91fb6403e5b6e4c1f2ac180152afe53e3606244d
SHA512 d0a97728914bdc6bd64056377e1ef654ab08dc92327f509a3f4d9e8a302987502c34262febdb4fca8ae7a0c1725258a9cadd0a25cd5db29d9d91dce1de7b8ae6

memory/2600-67-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1704-70-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

memory/1704-69-0x0000000000C70000-0x0000000000FDA000-memory.dmp

memory/1704-71-0x000000001B090000-0x000000001B110000-memory.dmp

memory/1704-72-0x0000000000B20000-0x0000000000B32000-memory.dmp

memory/1704-73-0x00000000024F0000-0x0000000002546000-memory.dmp

C:\Windows\Resources\Themes\lsm.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\xe7arYpjg5.bat

MD5 58f7105be112bc3a14fdcb21145cd649
SHA1 608e43e9aa73e65e31003e492b874f8735fc9365
SHA256 6bf9d10f6e7f0dbd1318881e20bf34b98088a29e3c68a45350576e4be26a790c
SHA512 31cb23a1ad61955ce562148f71a3a9ef8d61a116722c7d32849a285a4cb6cab41351e43afdd03b87ad5241134440ebd62494e8cf55bb3316455eca26fdfd5950

memory/1704-103-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

C:\driversessioncrt\WmiPrvSE.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\WmiPrvSE.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2608-107-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2608-106-0x0000000000180000-0x00000000004EA000-memory.dmp

memory/2608-108-0x000000001AB90000-0x000000001AC10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f962c14a-9068-49a5-be27-510a23b75307.vbs

MD5 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1 eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256 e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512 aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

C:\Users\Admin\AppData\Local\Temp\450c16c7-ee9f-4ebc-a927-cf3f8b05165f.vbs

MD5 0aec6349b4d56d44e28c77c8c5405463
SHA1 4556a90d3c5b6f0897a51504e1f01d1ec6c94dc4
SHA256 2661308329712c966dcb8d79036d4f9d67f6c3454142518921a6e34db21d0f5d
SHA512 e6ed17f22ff45c2d0387f112bcdc340ee51df16fb1e594eb2822083ba035332c9b1feb1f02ae8b7d474ca8dfa1fadf95834669e720ccab7dbd051fdecdf678e0

memory/2608-118-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2608-119-0x000000001AB90000-0x000000001AC10000-memory.dmp

memory/2608-120-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\driversessioncrt\WmiPrvSE.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1228-122-0x0000000000150000-0x00000000004BA000-memory.dmp

memory/1228-123-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/1228-124-0x000000001B3B0000-0x000000001B430000-memory.dmp

memory/1228-125-0x00000000008E0000-0x00000000008F2000-memory.dmp

memory/1228-126-0x00000000009B0000-0x00000000009C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs

MD5 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1 eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256 e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512 aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

C:\Users\Admin\AppData\Local\Temp\637d706c-a1ce-4ce4-9b33-b227fbbb446d.vbs

MD5 2b95c1c6867ffbe2930f9d719d56d416
SHA1 9e93ce929fa91d21836341c2dcbfb4553bd8cecd
SHA256 dfab9690789d887b9391c971424f5a823ffe72d8694d37713eb1e73f3aede646
SHA512 41ff5b2ee04e4e07cee4dbc7c2702e5bed9bfb2385dd06f02ed1833c87b33f67b1066ccba65e4c826292273f7e9a4ece19d0c998fcddbb209f432daaa29d0e86

C:\Users\Admin\AppData\Local\Temp\ac381064-f986-429a-be30-03b8b45a84bf.vbs

MD5 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1 eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256 e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512 aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1228-137-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/1228-138-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

C:\driversessioncrt\WmiPrvSE.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1156-140-0x0000000001070000-0x00000000013DA000-memory.dmp

memory/1156-141-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/1156-142-0x0000000000740000-0x0000000000752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\d5030860-20de-45de-aba2-0db5efd833d6.vbs

MD5 3ac74fe9a39410eddf94b58512e53818
SHA1 6b50a212f305ee9a36cf0cbd49c3409c6842d1e2
SHA256 81a10f3c0549fdd5f9e8a87fff6a3b6730089afc189679c0ec7594da2c39dee9
SHA512 bfae59ea84604a9f061137e52df1cb99971d6ff9404f8b4663c5147a8812c2c647ec6b8c0d77b5bcb48deb99c506aa2867aa27897abfebd287a4471966cbd0e5

C:\Users\Admin\AppData\Local\Temp\b15092e8-533d-459d-a089-5f50c20e1ca8.vbs

MD5 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1 eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256 e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512 aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

memory/1156-153-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\driversessioncrt\WmiPrvSE.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2560-155-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\3d713c53-cb1c-43d2-94e6-a72fad8eb119.vbs

MD5 511ee97dc9e9de1a531bc3a6337e6680
SHA1 2b9ec24ca8b6435b6a715a5f7e7f6f8a4bca5c0c
SHA256 dfaa0931ae6e3bac5a769962a523f9029734c2ff5bf85d348ea269300029be58
SHA512 22d0fc3c89b54461fdd8e0ab1220368e7d9e154914624adda620699ccc1221671ff04b847a888db4d926a5b3eca957bbba3990d9c80037702fc36927b45690ef

C:\Users\Admin\AppData\Local\Temp\2f6889d3-8327-4e2e-9322-6ca8dca686c4.vbs

MD5 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1 eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256 e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512 aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

C:\driversessioncrt\WmiPrvSE.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\89da897d18b1b3123871a766bf65e0fe744516fa.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\a6fcf201-70c8-4236-a9f3-8f49afea59e0.vbs

MD5 88137f82f4e244a665d2ccc03aacb609
SHA1 70b4c2dbcf3fd3eae9bfd9cbfdf9c13d4872116e
SHA256 83eb170234daf01456c7875f9c8e9f9f1349aea5c10ac872aab080b95bf3f699
SHA512 81424ae9c795fb2106384e16746d1c4701a4b6b2b8f79e522a458b6d9750232f6532e39887d949f23a1b816e9c37b7077a2052d5dffb374188194f7fce303208

C:\Users\Admin\AppData\Local\Temp\e1fe53a8-5110-4358-8cd2-25d748242543.vbs

MD5 5c3b61c4fb8c5d44a5d1c4fcb3d7ae53
SHA1 eb903b8b7d92a1ce784d9f615be419726326a5f3
SHA256 e666f3a621bbb7bdee9591c274b7950b1e09056d43147b67c3393dbed92e61c9
SHA512 aad937b15323720dac11e2c97a7b7751c6d9d84795f48fdc810dc130cb757b2a854418c03092cb2dcb5a9256098afa0e084464fc73efaba441fb50c063122da7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 01:02

Reported

2023-12-07 01:05

Platform

win10v2004-20231127-en

Max time kernel

154s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\088424020bedd6 C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Users\\Default\\Saved Games\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\dwm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Saved Games\\spoolsv.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Uninstall Information\\dwm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\fontdrvhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Uninstall Information\\dwm.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\de-DE\\wininit.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\conhost.exe\"" C:\driversessioncrt\winRefMonitor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\driversessioncrt\winRefMonitor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\6cb0b6c459d5d3 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Defender\de-DE\56085415360792 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\088424020bedd6 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\5b884080fd4f94 C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Windows Defender\de-DE\wininit.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\Uninstall Information\dwm.exe C:\driversessioncrt\winRefMonitor.exe N/A
File created C:\Program Files\ModifiableWindowsApps\Registry.exe C:\driversessioncrt\winRefMonitor.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\driversessioncrt\winRefMonitor.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\driversessioncrt\winRefMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2956 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2956 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2956 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2956 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 2956 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe C:\Windows\SysWOW64\WScript.exe
PID 4020 wrote to memory of 4164 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4164 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 4164 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 4164 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\driversessioncrt\winRefMonitor.exe
PID 408 wrote to memory of 860 N/A C:\driversessioncrt\winRefMonitor.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 408 wrote to memory of 860 N/A C:\driversessioncrt\winRefMonitor.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4164 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4164 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4164 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 860 wrote to memory of 4640 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 4640 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 2112 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 2112 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4640 wrote to memory of 1748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4640 wrote to memory of 1748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 1748 wrote to memory of 376 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1748 wrote to memory of 376 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1748 wrote to memory of 840 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1748 wrote to memory of 840 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 376 wrote to memory of 4852 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 376 wrote to memory of 4852 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4852 wrote to memory of 3052 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4852 wrote to memory of 3052 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4852 wrote to memory of 2056 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4852 wrote to memory of 2056 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 3052 wrote to memory of 3892 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 3052 wrote to memory of 3892 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 3892 wrote to memory of 4044 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 3892 wrote to memory of 4044 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 3892 wrote to memory of 2980 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 3892 wrote to memory of 2980 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4044 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4044 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 1660 wrote to memory of 4060 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 4060 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 484 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 484 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4060 wrote to memory of 4840 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4060 wrote to memory of 4840 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4840 wrote to memory of 3716 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4840 wrote to memory of 3716 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4840 wrote to memory of 808 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4840 wrote to memory of 808 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 3716 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 3716 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4460 wrote to memory of 4280 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 4280 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 4052 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 4052 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 4280 wrote to memory of 752 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 4280 wrote to memory of 752 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 752 wrote to memory of 1244 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 752 wrote to memory of 1244 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 752 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 752 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe C:\Windows\System32\WScript.exe
PID 1244 wrote to memory of 4404 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe
PID 1244 wrote to memory of 4404 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\driversessioncrt\winRefMonitor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe

"C:\Users\Admin\AppData\Local\Temp\0924b9eca922c9227c4f426be5174bae.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driversessioncrt\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat" "

C:\driversessioncrt\winRefMonitor.exe

"C:\driversessioncrt\winRefMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c27bbc71-6775-4ee3-b607-e84b32aee802.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac64032d-c22d-4c37-9054-5ed1672efd3c.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c4cd8d-5d6d-49ad-b0b6-52c857eb6ea0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6456acd-8ee4-40f0-addb-79668c1996a8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090a44c2-b0f8-4bf4-9980-3d2ed75a7616.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4776bb40-6d7d-44cd-9e4a-4dcdb921d473.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e34886-9c93-4c6e-b82f-34be045332b1.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\184d4178-ba22-4563-a801-e33d6a7c8ad6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cce3b71-ce66-4372-94be-b5aebb138519.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d3db136-1657-4ca0-8b00-ae6796820123.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764ef9f6-e6cf-4189-b8ee-7d7c7994f828.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec08751-b681-4bac-b1a8-e4999c98d8a1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38beff78-6db4-4ad3-ae73-da695f383ddd.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ec852f-af23-4b1c-ac53-2bdedec689fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7844476-8e4e-4b7e-bc3f-79454c661585.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb0f8bc6-5270-4044-9174-c7fe08174d44.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3513ed5e-cc76-41ce-a2f3-c6f08a8c2a80.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd89738d-0af5-4f1d-a4a5-792869bf4983.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84fed986-2aac-4175-ae87-4e2519289131.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8188d727-d87d-46f7-977a-3e813f00fb3b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\119fbecb-e36d-415d-af22-f4a47140160a.vbs"

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 70.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.23.21.2.in-addr.arpa udp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 55.86.100.95.in-addr.arpa udp
US 145.14.144.70:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.145.234:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 234.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 145.14.145.234:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.234:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 145.14.145.234:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.234:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.234:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.9:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 9.144.14.145.in-addr.arpa udp

Files

memory/2956-0-0x0000000000860000-0x0000000000C88000-memory.dmp

memory/2956-12-0x0000000000860000-0x0000000000C88000-memory.dmp

C:\driversessioncrt\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\driversessioncrt\iS3ZXZH7eGWUacRHzrnroa.vbe

MD5 d7664d494b1b6e05334ada9accc57d06
SHA1 2cc50d284a600e30287fdef5efe56a586199eb28
SHA256 531da88fff8963b42512583a711381b3ceef16ff6ff9763547e6eabf5665f9d6
SHA512 7e73fc680bd8aab94b89724c81cfd8e0b679ba0a9a4abca8dc522f1169f4123a8f2844677819190f1faba5df19c584fb1a7e7f2e361e57463050b7d3dc3eccb6

C:\driversessioncrt\7RYLxGVGAwiFGBwguvuUrv9KTj4HIJ.bat

MD5 40a5023d150998b4ba256dd94ea31230
SHA1 36702bfd3e71b3495e61ea589003bb856b959aca
SHA256 e9706a7a4d0fda27dac28f357e20d924779b307b0222c9a34f18701e5b78fbfc
SHA512 6deca418669bf26c67cbcc67f97478a445bf87ba3e1a886d479ee9a4ad736b0b47b196ed77e40f31ad2292ecbd43ec0129c0ce6a7b0915cc787f598577f26a15

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\driversessioncrt\winRefMonitor.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/408-19-0x00000000008A0000-0x0000000000C0A000-memory.dmp

memory/408-20-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp

memory/408-21-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/408-22-0x00000000014E0000-0x00000000014EE000-memory.dmp

memory/408-23-0x00000000014F0000-0x00000000014FE000-memory.dmp

memory/408-24-0x0000000001500000-0x0000000001508000-memory.dmp

memory/408-25-0x0000000002D50000-0x0000000002D6C000-memory.dmp

memory/408-26-0x0000000002DE0000-0x0000000002E30000-memory.dmp

memory/408-27-0x0000000002D70000-0x0000000002D78000-memory.dmp

memory/408-28-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/408-29-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

memory/408-30-0x0000000002DC0000-0x0000000002DC8000-memory.dmp

memory/408-31-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/408-32-0x0000000002E50000-0x0000000002E5C000-memory.dmp

memory/408-33-0x0000000002D10000-0x0000000002D18000-memory.dmp

memory/408-34-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/408-35-0x0000000002D30000-0x0000000002D3A000-memory.dmp

memory/408-36-0x000000001B940000-0x000000001B996000-memory.dmp

memory/408-37-0x0000000002D40000-0x0000000002D4C000-memory.dmp

memory/408-38-0x0000000002E30000-0x0000000002E38000-memory.dmp

memory/408-39-0x0000000002E40000-0x0000000002E4C000-memory.dmp

memory/408-40-0x000000001B990000-0x000000001B998000-memory.dmp

memory/408-41-0x000000001B9A0000-0x000000001B9B2000-memory.dmp

memory/408-42-0x000000001C610000-0x000000001CB38000-memory.dmp

memory/408-43-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

memory/408-44-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

memory/408-46-0x000000001C110000-0x000000001C11C000-memory.dmp

memory/408-45-0x000000001C100000-0x000000001C108000-memory.dmp

memory/408-47-0x000000001C120000-0x000000001C12C000-memory.dmp

memory/408-49-0x000000001C440000-0x000000001C44C000-memory.dmp

memory/408-48-0x000000001C330000-0x000000001C338000-memory.dmp

memory/408-50-0x000000001C340000-0x000000001C34A000-memory.dmp

memory/408-51-0x000000001C350000-0x000000001C35E000-memory.dmp

memory/408-52-0x000000001C360000-0x000000001C368000-memory.dmp

memory/408-53-0x000000001C370000-0x000000001C37E000-memory.dmp

memory/408-56-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

memory/408-57-0x000000001C3B0000-0x000000001C3BA000-memory.dmp

memory/408-55-0x000000001C390000-0x000000001C39C000-memory.dmp

memory/408-54-0x000000001C380000-0x000000001C388000-memory.dmp

memory/408-58-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

C:\Recovery\WindowsRE\Registry.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/408-88-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp

memory/860-89-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp

memory/860-90-0x000000001B7F0000-0x000000001B800000-memory.dmp

memory/860-91-0x000000001B7E0000-0x000000001B7F2000-memory.dmp

memory/860-92-0x000000001BFB0000-0x000000001BFC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c27bbc71-6775-4ee3-b607-e84b32aee802.vbs

MD5 b88d4a3a4b740de33743386189d5158f
SHA1 8052965de2ac17880fea574168469991027fb252
SHA256 8cbefb3f2ec86e130b27011934fdb8d9133f54f5fb97f6c4c0ecf412980440af
SHA512 98200cd454719e905d9bc89472e5eac7c6a49d2446ccd4476ee8359df28e6385929784a8b7bbadb36e63a3e7957ef152eee4a211ad18808744c3a5c9141403a0

C:\Users\Admin\AppData\Local\Temp\ac64032d-c22d-4c37-9054-5ed1672efd3c.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

memory/860-103-0x00007FFEBEB50000-0x00007FFEBF611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1748-107-0x000000001B090000-0x000000001B0A0000-memory.dmp

memory/1748-106-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

memory/1748-108-0x0000000002630000-0x0000000002642000-memory.dmp

memory/1748-109-0x000000001AF60000-0x000000001AFB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0c4cd8d-5d6d-49ad-b0b6-52c857eb6ea0.vbs

MD5 3331e33efbba06546fe247e8ca8a9fd4
SHA1 5a1a168c8341965ff0f135af8f0e7ccf15b875a9
SHA256 ca1866b0ca3e88ac1a094e8c50385c3e3bf98089b6e274eca848728bdd0a0fe2
SHA512 da73510a632e6000b209cf6e3bde7a891009c19db0465003afc287a4c94a1f9ca5ab6f57d49f695188a7ab13ccc0f76f6afa6df18f856eb32da7aa72e7e0807d

C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Users\Admin\AppData\Local\Temp\05b7c832-2497-4d0e-8a5c-20f59396a5f1.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1748-120-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4852-122-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

memory/4852-123-0x000000001B370000-0x000000001B380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\d6456acd-8ee4-40f0-addb-79668c1996a8.vbs

MD5 bddb590cb06ef3328367070b291c5371
SHA1 7111891a457e0c78c45000e78f97355dc1bf380c
SHA256 a4eb43a315adc89e7fc602551590acebcddbc4e21cb8ec462dbc2e6b2661d04d
SHA512 0db89f0642e14dd2b7df5f82602164bc4ce019e19eec3797364b74c5cdf223bf0f5446b96d399964fd90326ec53e4ce1992608f6c8dbf8205aa399b6b71dc59d

C:\Users\Admin\AppData\Local\Temp\090a44c2-b0f8-4bf4-9980-3d2ed75a7616.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

memory/4852-134-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3892-136-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

memory/3892-137-0x000000001B4A0000-0x000000001B4B0000-memory.dmp

memory/3892-138-0x000000001B470000-0x000000001B482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\4776bb40-6d7d-44cd-9e4a-4dcdb921d473.vbs

MD5 22ba8b6eaead824d90367fbea994e092
SHA1 421abd4b5a45f5432d5edf0521207dd5bebf6375
SHA256 2bec7c202af7d671f4b2a6e751f34b1794e32fdd789d110421d338f7bb9b1329
SHA512 ced137a436d4922b496f09f0021e5705df4a8400386c0068c45e431e40c27e03dd289380a3252b0ce126195ff607bdf70a888c22d7d0d26d82f18ef0525bdf6c

C:\Users\Admin\AppData\Local\Temp\08e34886-9c93-4c6e-b82f-34be045332b1.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

memory/3892-149-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1660-151-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

memory/1660-152-0x000000001BBF0000-0x000000001BC00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\184d4178-ba22-4563-a801-e33d6a7c8ad6.vbs

MD5 bfc62d491cf261a894d198c90e5d26c0
SHA1 77b862afd5d5cd7231d359cafc36f74ec2254fdc
SHA256 278d0707dcc274d1c9afab447d003ff843ded8ee5cf79fd5ab7d782308e955ce
SHA512 f7b9286ca974e139890add2e1aa52b57692d45db48871cdc786edea1507e28e933f87083c68ffa64d11092ec2ef5fe366b2881efa287f9877bc50a8ebc01bc7f

C:\Users\Admin\AppData\Local\Temp\6cce3b71-ce66-4372-94be-b5aebb138519.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

memory/1660-163-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4840-165-0x00007FFEBEC70000-0x00007FFEBF731000-memory.dmp

memory/4840-166-0x000000001BE60000-0x000000001BE70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\8d3db136-1657-4ca0-8b00-ae6796820123.vbs

MD5 a42730509405e9727f077fb1e10f05f6
SHA1 66a0fa3d14756369fb2971c1c6702ac19087b54d
SHA256 cbb5ec00a556328b7849141ed2518a6350c8453c1adefff2af7d689b508c0202
SHA512 d9a92e57630027f4f06120504b62f68b3d755f781969348046f8b70b3c8bb4f481e78593398f81c386d584a287a07fa10114b4f54b4f6cb218b914d85b12c18d

C:\Users\Admin\AppData\Local\Temp\764ef9f6-e6cf-4189-b8ee-7d7c7994f828.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\1ec08751-b681-4bac-b1a8-e4999c98d8a1.vbs

MD5 0a9d2547efe3231fbeac4a44deb1e72a
SHA1 145267dc807b45ca21b209dc1cd6703e59f25701
SHA256 11e47b8a60f9b0d98c3e6a37c5431413b0b7db0534f04b6764be4ad99362d448
SHA512 b8cbbea25c4bb8338271f62af8f82b90f0431c86278cab7cb7262fdb2c598b87082f3f35fde1a8792a9ddaab3461649e9d718207358718d3cdc4af602a1a9a2a

C:\Users\Admin\AppData\Local\Temp\38beff78-6db4-4ad3-ae73-da695f383ddd.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\37ec852f-af23-4b1c-ac53-2bdedec689fc.vbs

MD5 836b4492ae5f4ee9f7401581f1d86069
SHA1 9e4c307ef5281b190b2960a94f99a5ff25a1425e
SHA256 46000e0842c1c0e7d739484b42c6666fd70abbc1712c75eef6389787db08c58a
SHA512 d12e96b076a8d88ac0df7b4b8266ce6f1fe044cc4631f6de1561f862581ed836914e232557699c305dcf4bd04207087426110e766bad788bb2631a1e7f01b44e

C:\Users\Admin\AppData\Local\Temp\a7844476-8e4e-4b7e-bc3f-79454c661585.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\fb0f8bc6-5270-4044-9174-c7fe08174d44.vbs

MD5 c1299601ab47b8eebf141377a418aafa
SHA1 b21e99c9650380f5d0f8fea0a0bbc70e73a52a70
SHA256 54c0d8f804324b316adf4bf166e142367097729b91abdb60bae8e5a1303c953f
SHA512 75c0860a972205294a53f04dcae72db38e294efe76e17a2932fa817e0dedb47cd02ec346f999887451ee9e158d2993efc56f81fe965219897ee8d3b7b224fc9f

C:\Users\Admin\AppData\Local\Temp\3513ed5e-cc76-41ce-a2f3-c6f08a8c2a80.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\bd89738d-0af5-4f1d-a4a5-792869bf4983.vbs

MD5 9deb15d3a1262b993c5d772b4bce8af8
SHA1 01a0698501643eec4e21e1e8eef49e482b07f463
SHA256 614eeb4b1e7ec3e81c7059fbb063f82014272f0a5fa6450395c0c4eaf6205486
SHA512 be7523016dd183615a7c5090bc5d8e7fdd3a98d1cfee2cc482e40c5dc42389f1981ea15c1701e2b0a812749d81741f62e4f0fe69fbe511c57122c7934482028c

C:\Users\Admin\AppData\Local\Temp\84fed986-2aac-4175-ae87-4e2519289131.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2cabb165dada42e1e19104601b59ab888f669e70.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\8188d727-d87d-46f7-977a-3e813f00fb3b.vbs

MD5 a8a73638587c5d3bb27d0f060c7c6bb3
SHA1 4aae3c956dd01d03eab172225c05fc02ed45d458
SHA256 61566dbfdc8a1512d7e9f400d77cb66faf7a9a615dd863f0aba0db208714ae9c
SHA512 68117e14d25392c46bd6bad3d00022d8051130ac7f779c92355fdd4fd762b21c8defd57fd196169a45fa0505bf13f7c42cb10a4d3fa02d70f097b16faf06bc3c

C:\Users\Admin\AppData\Local\Temp\119fbecb-e36d-415d-af22-f4a47140160a.vbs

MD5 18286ed6e5cde0d765057ca3a580182a
SHA1 9a837e37d932ea7158cacbffe68c91161b73938f
SHA256 9c9aafb60ed7c381fb14ae1ebe19c16ec39ede5bf015b0898c03c3fdc543134b
SHA512 4fe6a680d2b13d72ea71201c1bb49553e8e03713286472c3d5d463b321c7876a40ea37e9c3873693657aa3ddb851638b1728d55f44f2582f3aaefbdee29a28a7

C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44