Analysis Overview
SHA256
942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc
Threat Level: Known bad
The file 942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
UAC bypass
DCRat payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks whether UAC is enabled
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Task Scheduler COM API
System policy modification
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:19
Reported
2024-06-01 08:22
Platform
win7-20240221-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| N/A | N/A | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| N/A | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\smss.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files\Microsoft Office\69ddcba757bf72 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\runtimeDhcpCommon.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f360414d2400fd | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files\7-Zip\runtimeDhcpCommon.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files\7-Zip\f360414d2400fd | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\taskhost.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\b75386f1303e64 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\b75386f1303e64 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Windows\debug\WIA\csrss.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Windows\debug\WIA\886983d96e3d3e | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Windows\Fonts\taskhost.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe
"C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "
C:\surrogatedriverbroker\runtimeDhcpCommon.exe
"C:\surrogatedriverbroker\runtimeDhcpCommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\surrogatedriverbroker\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\surrogatedriverbroker\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\surrogatedriverbroker\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\surrogatedriverbroker\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\surrogatedriverbroker\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\surrogatedriverbroker\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\surrogatedriverbroker\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\surrogatedriverbroker\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\surrogatedriverbroker\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimeDhcpCommonr" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\runtimeDhcpCommon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimeDhcpCommon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\runtimeDhcpCommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimeDhcpCommonr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\runtimeDhcpCommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimeDhcpCommonr" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\runtimeDhcpCommon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimeDhcpCommon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\runtimeDhcpCommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimeDhcpCommonr" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\runtimeDhcpCommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\surrogatedriverbroker\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\surrogatedriverbroker\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\surrogatedriverbroker\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O7HKQCkFs0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1653b538-9861-4329-8afa-6e64386e59a1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46984ab4-5ac0-4896-91e4-a5e431c862ee.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f461798-ed89-42a6-841f-0f35b4828033.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ae1463c-e62c-44fc-b38e-9c37b3e79566.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65a4efce-29a0-44d3-b859-f70cd10be928.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c6bc18c-38b0-450b-8f59-4160affac473.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\510f076d-892d-478c-934a-76488b6a334b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb5ed599-db96-4659-b7db-50b1db524c25.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bbd41ab-7030-4023-a4fd-adae1c2419de.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\748fee6a-fa82-43b3-88b2-895056cb1f91.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73df5055-25e0-4073-ba3c-ce2336da7aac.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f10cc233-0bff-4631-89e4-944bcef48206.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b223e4-b6a1-4230-9c34-f9bfc5ee06e7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ef274d-9e9a-4fd4-9427-9905080f2beb.vbs"
C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7e2a53d-1a59-4e70-a3d8-a63a426dba18.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819928f0-2556-47dc-95ce-ce07bb1318f8.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0981474.xsph.ru | udp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
Files
memory/1208-0-0x0000000000400000-0x0000000000C6C000-memory.dmp
memory/1208-5-0x0000000003600000-0x0000000003602000-memory.dmp
memory/2568-6-0x0000000000160000-0x0000000000162000-memory.dmp
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | d26ea8a9103b82d0e4f80b687f0c1adc |
| SHA1 | 811bc8c8b6fcca69882e483ed0d59d45e7851f1a |
| SHA256 | 50548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5 |
| SHA512 | 68583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e |
C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe
| MD5 | d9095993dc975aad0602ba66b32dad3d |
| SHA1 | 8c26fd1ad732827301e5af7de044420f0c06fbbe |
| SHA256 | 3329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e |
| SHA512 | 2c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a |
C:\surrogatedriverbroker\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\Users\Admin\AppData\Local\Temp\channels4_profile.ico
| MD5 | 18cc2b457a795b627b37dda9cfd355c5 |
| SHA1 | 5778d3f45a662a681788e16426afdd266707f672 |
| SHA256 | c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1 |
| SHA512 | cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d |
C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat
| MD5 | 85cfb82d14d95349f280e53f0764fbfc |
| SHA1 | 645a8f36343a8e4b88966ab70a4a24f49b9ca2b9 |
| SHA256 | 3628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371 |
| SHA512 | 02cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8 |
C:\surrogatedriverbroker\runtimeDhcpCommon.exe
| MD5 | dc167730759f4877ed79888e1f365249 |
| SHA1 | 5ce03602609fa90f26b3a6774519c006a9c20bf6 |
| SHA256 | 0704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316 |
| SHA512 | d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b |
memory/564-34-0x0000000000220000-0x000000000058A000-memory.dmp
memory/564-35-0x00000000005B0000-0x00000000005BE000-memory.dmp
memory/564-36-0x00000000005C0000-0x00000000005CE000-memory.dmp
memory/564-37-0x00000000005D0000-0x00000000005D8000-memory.dmp
memory/564-38-0x00000000005E0000-0x00000000005FC000-memory.dmp
memory/564-39-0x00000000006F0000-0x00000000006F8000-memory.dmp
memory/564-40-0x0000000000910000-0x0000000000920000-memory.dmp
memory/564-41-0x0000000000920000-0x0000000000936000-memory.dmp
memory/564-42-0x0000000000950000-0x0000000000958000-memory.dmp
memory/564-43-0x0000000002210000-0x0000000002222000-memory.dmp
memory/564-44-0x0000000002230000-0x000000000223C000-memory.dmp
memory/564-45-0x0000000000960000-0x0000000000968000-memory.dmp
memory/564-46-0x0000000002220000-0x0000000002230000-memory.dmp
memory/564-47-0x00000000022C0000-0x00000000022CA000-memory.dmp
memory/564-48-0x0000000002460000-0x00000000024B6000-memory.dmp
memory/564-49-0x00000000024B0000-0x00000000024BC000-memory.dmp
memory/564-50-0x00000000024C0000-0x00000000024C8000-memory.dmp
memory/564-51-0x00000000024D0000-0x00000000024DC000-memory.dmp
memory/564-52-0x00000000024E0000-0x00000000024E8000-memory.dmp
memory/564-53-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/564-54-0x0000000002520000-0x000000000252C000-memory.dmp
memory/564-55-0x000000001AA90000-0x000000001AA9C000-memory.dmp
memory/564-56-0x000000001AAA0000-0x000000001AAA8000-memory.dmp
memory/564-57-0x000000001AE80000-0x000000001AE8C000-memory.dmp
memory/564-58-0x000000001AE90000-0x000000001AE9C000-memory.dmp
memory/564-59-0x000000001AFB0000-0x000000001AFB8000-memory.dmp
memory/564-60-0x000000001AEA0000-0x000000001AEAC000-memory.dmp
memory/564-61-0x000000001AFC0000-0x000000001AFCA000-memory.dmp
memory/564-62-0x000000001AFD0000-0x000000001AFDE000-memory.dmp
memory/564-63-0x000000001AFE0000-0x000000001AFE8000-memory.dmp
memory/564-64-0x000000001AFF0000-0x000000001AFFE000-memory.dmp
memory/564-65-0x000000001B000000-0x000000001B008000-memory.dmp
memory/564-66-0x000000001B010000-0x000000001B01C000-memory.dmp
memory/564-67-0x000000001B020000-0x000000001B028000-memory.dmp
memory/564-68-0x000000001B0B0000-0x000000001B0BA000-memory.dmp
memory/564-69-0x000000001B0C0000-0x000000001B0CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\O7HKQCkFs0.bat
| MD5 | 5f7f40e4bce3394d091164ca97a8eacd |
| SHA1 | ad7b6141d72e1b18513387fcceeb23fc454e74be |
| SHA256 | 687c7098505c4a2fd254a1c383a75033a691b3ac5663cc7f1ccca7ead5a6d467 |
| SHA512 | b69028e5a32334337ea259358a39415949f71a5a8b87223a40afaaf9beeb2642e39612ff354ed5d82d69f912f3497a405ce8cf1f73193e8faf035c726dd94941 |
memory/2100-115-0x00000000008D0000-0x0000000000C3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1653b538-9861-4329-8afa-6e64386e59a1.vbs
| MD5 | ba9cb55ce6f9bedaa22c9ac61a4898db |
| SHA1 | 454f7bd263037a32de19083d3d08754610767ad4 |
| SHA256 | 48e58dbabd39daaa54b1de71ad57e634bf50bc0471126b1cea3a16f2cf2fb6ca |
| SHA512 | 3757a47bb146b8ab486c631e6e0a581459e11cc8070d2c3abf9979bce417d4deb7e5af54b76e46b8643de7350dffbb56f4aefd2c64c740c714a1314a76fd6ebc |
C:\Users\Admin\AppData\Local\Temp\46984ab4-5ac0-4896-91e4-a5e431c862ee.vbs
| MD5 | 2a584e3c26e5316f87ff8b6d6cc2918b |
| SHA1 | 0257a7785680d8406c571cc2fc207393e7b49725 |
| SHA256 | ceb43046b8e5498c5126f986c1c2b46313a6f12ca34115c36f4d96de5d90e0f6 |
| SHA512 | 6a798aa392f6dfd54628c1564b1808cf1befde07b97d840d1c6c80d79090219e3107e8feb0bd5a4de86d86379fb61bb1ab5e701508e2aa2b7a3f79d2e07c6172 |
memory/908-126-0x0000000001220000-0x000000000158A000-memory.dmp
memory/908-127-0x0000000000380000-0x0000000000392000-memory.dmp
memory/908-128-0x0000000000640000-0x0000000000696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9f461798-ed89-42a6-841f-0f35b4828033.vbs
| MD5 | 088a5547a5692a43b69e71b32c016298 |
| SHA1 | d0c66119ad8cbaea0e3dc0e02f8539d47b298125 |
| SHA256 | ff0b96bdef25fd6867853b5b12ff6766a4f06476f2209d21cef405ad01a7e0a9 |
| SHA512 | eb9bed2f621c3b24d7f15d37d7528683fd0aa8ded0399e3d323fb38e7fe45bf2b76b23653ba1ac571ec2d16ae9ae9654a5253d354edc653afdfd9f947722c50d |
C:\Users\Admin\AppData\Local\Temp\65a4efce-29a0-44d3-b859-f70cd10be928.vbs
| MD5 | 9a3999c346f3805d418ae356d37077cd |
| SHA1 | 1ca607ebf9c345ae7edf2e0aa32e1b3b8dac89e1 |
| SHA256 | 3ba01ddc46dd15be3354a70ccd4c3a16a2b90bfda85f2fa3b573407f142b2153 |
| SHA512 | cdd467d8baf74a1bbe7e2ac98c189c2818b6eaaa9eb578f5327e8149f06e45f075277502c33a2e1ecf39f3b4cdfbbed82b589cdffc31fd3536860acc6266d9d3 |
C:\Users\Admin\AppData\Local\Temp\510f076d-892d-478c-934a-76488b6a334b.vbs
| MD5 | f720ae2570fdfa140398ac87dce05eee |
| SHA1 | c224b4ae5612e7eeb82fcea53b0e9f1a5e20e958 |
| SHA256 | dc52d055d4d99d905f76ac0143adcce6f3f72bab1b647b1ac5a1c6d01dc63031 |
| SHA512 | db7215fb850787e8bd2c4da65d7b6e32f5c931b21cb8c6d8f5e2ad26e7c0fa6a41a8819ca547b034e82e40720634eb7d209ff423a8ddb91f2cc4a5c1aef872ff |
C:\Users\Admin\AppData\Local\Temp\8bbd41ab-7030-4023-a4fd-adae1c2419de.vbs
| MD5 | 41e5e14172965b337d50ceb64dae810b |
| SHA1 | 38c397275ec0f458c9b478fbd58dfc36b026a66a |
| SHA256 | d27705e9818273c4c9f2a14d2c9853e357bd0b5eca2f455cfd60385ba457113b |
| SHA512 | 98e2b1dac7f507e7e4474cef4d135378f0732b5485a8a6afe24f00ae6b9d9c84b9280fa250c58c920580929f77eef0ba9f0b6ca6e486f783835ca0a30cf00b97 |
C:\Users\Admin\AppData\Local\Temp\73df5055-25e0-4073-ba3c-ce2336da7aac.vbs
| MD5 | 991b12a87152c48254efbf4116966fe6 |
| SHA1 | a63bf559e9c5a9525b42dfa5aa9a0c5ff7858603 |
| SHA256 | f69e421a90d3fc002ebb7dede1d2a8d0a5b2fbc04f8165253f12469afa9a4c4f |
| SHA512 | 93cb0578347d4e003568b4b0944ca669637cd01e4d75e2ef8a8b2181f73cedd36aee8d4c9665d43e4085d6b2da14aa11e9256a0f372de1235685cdaf4b15f6f4 |
C:\Users\Admin\AppData\Local\Temp\90b223e4-b6a1-4230-9c34-f9bfc5ee06e7.vbs
| MD5 | feaca1ea7018609484015b4905c2cb6e |
| SHA1 | 0b5786c025103f2e0500515167c6ded0a606ec5c |
| SHA256 | dfb81447baf425be753ff4352e4ebc52de2f83bde649296e39f982d8e29d9bf0 |
| SHA512 | ee915f2365ef024eb2adcdc0cb6fa267b7631b2a44b5ed91c2f3634bb13a5beac605abfcfef5c90d8a6863375b9186f66946c7a96b91e1d35046faeb99fda45a |
memory/1796-195-0x0000000000330000-0x000000000069A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a7e2a53d-1a59-4e70-a3d8-a63a426dba18.vbs
| MD5 | 056b4243ab8dc5141ccc02c2a75c5a75 |
| SHA1 | 1ae0471caa79a96c1b053b62cfa098b39c366ac3 |
| SHA256 | ae7491cae17de0ca31e4685b00e82fc01fce439fc56eeb49dcf97b2f1187b922 |
| SHA512 | d0e2fdadabe8fdecbd9ed5c518a5f0a729cf9941ec4dcb511e4c5c51ed0550b5363ca3eeb8fd3222b35ee65b5c062dda3248df3f85edffc32daa511cbf620e1b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:19
Reported
2024-06-01 08:22
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\wininit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| N/A | N/A | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\wininit.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Security\wininit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Security\56085415360792 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office16\csrss.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office16\886983d96e3d3e | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\dwm.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\6cb0b6c459d5d3 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Program Files\Windows Security\wininit.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WaaS\dllhost.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Windows\PLA\dwm.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File opened for modification | C:\Windows\PLA\dwm.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Windows\PLA\6cb0b6c459d5d3 | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| File created | C:\Windows\diagnostics\winlogon.exe | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files\Windows Security\wininit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\surrogatedriverbroker\runtimeDhcpCommon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Security\wininit.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe
"C:\Users\Admin\AppData\Local\Temp\942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc.exe"
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "
C:\surrogatedriverbroker\runtimeDhcpCommon.exe
"C:\surrogatedriverbroker\runtimeDhcpCommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PLA\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\surrogatedriverbroker\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\surrogatedriverbroker\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\surrogatedriverbroker\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\surrogatedriverbroker\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\surrogatedriverbroker\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\surrogatedriverbroker\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eed0b5eb-d2d6-4125-b8c2-84a1cb68c7fa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3659003f-2c64-49dd-9ce9-7f26d386215d.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\725612be-24d1-4961-92f7-8003820a9ab9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1845a368-56d2-4028-b7a4-33b6a7014c7d.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b043004d-1aa5-44da-aca4-7a0ff966b229.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6972173a-42f9-4338-85d3-2b8ec9ca80d8.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b9f69b7-76f9-4820-8c07-0f738a332ccb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a40857f-61fd-422c-b7fb-36a3e7cbb99b.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e369caa8-f634-4558-9b0f-d7b221fa4878.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95dcb2c0-7f49-4707-9943-b778f5cd5d27.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af8a7360-f58f-4b41-9c6f-b7c2e397c1b8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f575b5cc-e6d2-4ed7-9959-39bad10b4811.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd3c06c2-5a72-4c59-aae4-e3c4d44eca16.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\288d22dc-4c1a-4ba2-83d9-c2198f063c72.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4056a0e5-8be1-49f6-9a0d-e8e81b2729da.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a562d2ef-cfb2-4b6c-b8b8-b0832ac92474.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd3f9aff-b636-4d46-a07d-cd4d6c755796.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20353de0-a784-47c2-91ca-615045f73ac4.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e771713-bd51-45d7-9670-408fe72300d5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7097357b-dafc-4e53-bd65-adf2cc8855e9.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62404fd4-ac7f-4bdc-9c7a-25c0bde12778.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56063bed-4208-4783-8251-f862acbb487a.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6607471a-7435-4622-bace-e6335497f6e6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f25d943e-e6b3-41e0-b0bc-2fc0f1be946a.vbs"
C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66604296-972c-4d0c-9513-4ff312614ef1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23d1cebb-4f95-41cc-a412-29e608541e86.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0981474.xsph.ru | udp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| US | 8.8.8.8:53 | 149.194.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0981474.xsph.ru | tcp |
Files
memory/1992-0-0x0000000000400000-0x0000000000C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New Project 1.exe
| MD5 | bba499baa7c430d4f0bac0b231e75b82 |
| SHA1 | 743a8a70bae9478061103d668b0d000371fd1840 |
| SHA256 | 418b1fb225defe29d9605e560757d93048210818c49dce49f62a1f7f5e02f2fc |
| SHA512 | 17c745b9919405a6243564b7f44c7b9e3ae586dec6a2947572072b2c45a65e020cbcaf54f0761393cf088f7f4006492cda22ae3e9d19d416fd35a66f49e6cdeb |
C:\Users\Admin\AppData\Local\Temp\channels4_profile.ico
| MD5 | 18cc2b457a795b627b37dda9cfd355c5 |
| SHA1 | 5778d3f45a662a681788e16426afdd266707f672 |
| SHA256 | c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1 |
| SHA512 | cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d |
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | d26ea8a9103b82d0e4f80b687f0c1adc |
| SHA1 | 811bc8c8b6fcca69882e483ed0d59d45e7851f1a |
| SHA256 | 50548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5 |
| SHA512 | 68583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e |
C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe
| MD5 | d9095993dc975aad0602ba66b32dad3d |
| SHA1 | 8c26fd1ad732827301e5af7de044420f0c06fbbe |
| SHA256 | 3329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e |
| SHA512 | 2c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a |
C:\surrogatedriverbroker\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat
| MD5 | 85cfb82d14d95349f280e53f0764fbfc |
| SHA1 | 645a8f36343a8e4b88966ab70a4a24f49b9ca2b9 |
| SHA256 | 3628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371 |
| SHA512 | 02cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8 |
C:\surrogatedriverbroker\runtimeDhcpCommon.exe
| MD5 | dc167730759f4877ed79888e1f365249 |
| SHA1 | 5ce03602609fa90f26b3a6774519c006a9c20bf6 |
| SHA256 | 0704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316 |
| SHA512 | d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b |
memory/4968-113-0x0000000000AC0000-0x0000000000E2A000-memory.dmp
memory/4968-114-0x00000000015E0000-0x00000000015EE000-memory.dmp
memory/4968-115-0x0000000001600000-0x000000000160E000-memory.dmp
memory/4968-116-0x0000000001610000-0x0000000001618000-memory.dmp
memory/4968-117-0x0000000003040000-0x000000000305C000-memory.dmp
memory/4968-118-0x000000001C110000-0x000000001C160000-memory.dmp
memory/4968-119-0x0000000003060000-0x0000000003068000-memory.dmp
memory/4968-120-0x000000001BA90000-0x000000001BAA0000-memory.dmp
memory/4968-121-0x000000001BAA0000-0x000000001BAB6000-memory.dmp
memory/4968-122-0x000000001BAC0000-0x000000001BAC8000-memory.dmp
memory/4968-123-0x000000001BAE0000-0x000000001BAF2000-memory.dmp
memory/4968-124-0x000000001BAF0000-0x000000001BAFC000-memory.dmp
memory/4968-125-0x000000001BAD0000-0x000000001BAD8000-memory.dmp
memory/4968-126-0x000000001C260000-0x000000001C270000-memory.dmp
memory/4968-127-0x000000001C270000-0x000000001C27A000-memory.dmp
memory/4968-128-0x000000001C280000-0x000000001C2D6000-memory.dmp
memory/4968-129-0x000000001C2D0000-0x000000001C2DC000-memory.dmp
memory/4968-130-0x000000001C2E0000-0x000000001C2E8000-memory.dmp
memory/4968-131-0x000000001C2F0000-0x000000001C2FC000-memory.dmp
memory/4968-132-0x000000001C300000-0x000000001C308000-memory.dmp
memory/4968-133-0x000000001C310000-0x000000001C322000-memory.dmp
memory/4968-134-0x000000001C870000-0x000000001CD98000-memory.dmp
memory/4968-136-0x000000001C350000-0x000000001C35C000-memory.dmp
memory/4968-135-0x000000001C340000-0x000000001C34C000-memory.dmp
memory/4968-137-0x000000001C360000-0x000000001C368000-memory.dmp
memory/4968-138-0x000000001C370000-0x000000001C37C000-memory.dmp
memory/4968-139-0x000000001C380000-0x000000001C38C000-memory.dmp
memory/4968-140-0x000000001C600000-0x000000001C608000-memory.dmp
memory/4968-145-0x000000001C5D0000-0x000000001C5DE000-memory.dmp
memory/4968-144-0x000000001C5C0000-0x000000001C5C8000-memory.dmp
memory/4968-147-0x000000001C5F0000-0x000000001C5FC000-memory.dmp
memory/4968-146-0x000000001C5E0000-0x000000001C5E8000-memory.dmp
memory/4968-143-0x000000001C4B0000-0x000000001C4BE000-memory.dmp
memory/4968-142-0x000000001C4A0000-0x000000001C4AA000-memory.dmp
memory/4968-141-0x000000001C490000-0x000000001C49C000-memory.dmp
memory/4968-148-0x000000001C610000-0x000000001C618000-memory.dmp
memory/4968-149-0x000000001C720000-0x000000001C72A000-memory.dmp
memory/4968-150-0x000000001C620000-0x000000001C62C000-memory.dmp
memory/4272-178-0x0000000002590000-0x00000000025A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eed0b5eb-d2d6-4125-b8c2-84a1cb68c7fa.vbs
| MD5 | 17301914b0c5223dfdafc9ce0da0209f |
| SHA1 | e9826434dd1b0beb18f4f7408caca52df39755dd |
| SHA256 | fb4248cf71eabda97b99bd88b66ee0ef86a8fdc41cc4f7230bb8cb630053f172 |
| SHA512 | c78fa3b38db1e093150816ff054ee79467ef43ca47cefe6ed977f8a3138d796e774d9190f09355d2b6857bd0961449f69963acfba662ed39c7b0b4e56589b171 |
C:\Users\Admin\AppData\Local\Temp\3659003f-2c64-49dd-9ce9-7f26d386215d.vbs
| MD5 | 82a9e795310136d03b23154f45984b54 |
| SHA1 | dae13d308eedb456ca20c52f6cdb449ccbe755ae |
| SHA256 | 56da0676301f4893bbfa1069c5e94d91cde8bda7f39fa6277a03800f6fabe71a |
| SHA512 | fc158469a3e0ba2d5ecb83c06590070c80999ef74cbcf7766c35f68cad6b91ed36e7a4366f0990a87aed13bc92d81d7bed4c0d1ddea10cde8d02bab394ca9f58 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
| MD5 | 49b64127208271d8f797256057d0b006 |
| SHA1 | b99bd7e2b4e9ed24de47fb3341ea67660b84cca1 |
| SHA256 | 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77 |
| SHA512 | f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e |
C:\Users\Admin\AppData\Local\Temp\725612be-24d1-4961-92f7-8003820a9ab9.vbs
| MD5 | dd39cd4f7195f57fa3d7050a9dbf394f |
| SHA1 | 0e6075650afd640ccd0a87316e7345176ba772e7 |
| SHA256 | 9043f3ff03c9a6f05567ee42652ab755aee5609991815792ccfe8fa0944fd522 |
| SHA512 | 215e190b86ba850fcac6c97576231e7958ae411e975fddd96c60e3b3b01d380e76c95a9e132518871ff85f39d2a5e47310d65f1a2e1954e09ad018e2fe4b9809 |
memory/4552-202-0x000000001B120000-0x000000001B132000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b043004d-1aa5-44da-aca4-7a0ff966b229.vbs
| MD5 | 2bf0b639f935fd1a898008ede4e6d42e |
| SHA1 | 64ca88ac2d317d29c861a8590d8f4b67fc9827f8 |
| SHA256 | 33ac2efe26d7af63a4c196f44502cfdc1318cd06f1bd3a17a687a72b1c2b9f9c |
| SHA512 | 6f3af42db474dd869e0f39e5314131d76a542e860ec2a5e46f753ca1be585858e61a8f37fbae95302daeac4c5b869ca51b87bff912366a433ec173c57ef45057 |
memory/2860-214-0x000000001BED0000-0x000000001BEE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0b9f69b7-76f9-4820-8c07-0f738a332ccb.vbs
| MD5 | 4aafc8f434e84a6c416dba1f18fdd5ef |
| SHA1 | 36d3ee96318e85dfe4eafba5c8be551a6e15c880 |
| SHA256 | 1d056073272572cfb6fb8c18de041af6056df8044db836c1c3536d173a3d87b0 |
| SHA512 | 7dcc50ed9a762cda78b1d92f8e7c766b52d1bdb160a22ab7a0f90d2c934fa4b177067601dbbfa51d103558ae9eec802b73c6021140d0821887f19e13f5633e81 |
memory/5108-226-0x000000001BCA0000-0x000000001BCB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e369caa8-f634-4558-9b0f-d7b221fa4878.vbs
| MD5 | c2b9d3c617f432f0b7e6a870ea61ce71 |
| SHA1 | ad95780d8dc77b2211106cfe057e3e7442a5628d |
| SHA256 | 0b14d5319dfa9aa65fe0f13b79bfd75c188b1dd16f94113a5ce6b74d20aa46de |
| SHA512 | 8e81ba8de38482e689ab8a88f0bc3eec75fd4016485521015c675da14335b024debf226db7494687961d8846ab85ac6b9abec2989ccea920ca2d3d91270612b3 |
C:\Users\Admin\AppData\Local\Temp\f19260860a3789cc3f71a79380bdb66bf435930a.exe
| MD5 | bff9cb4d8dbf26e3b82dfc84195ddb07 |
| SHA1 | 43d5083c284d60a596e5a7680c4bc2140e3bb960 |
| SHA256 | c36412224d71fb5a1036bcd5026a5b6a582489c77ea3343c6498f3bda3d460a0 |
| SHA512 | d2bb7ccc7e3dbc4d82c2571973d928ba0bd8f1de72fa4e3270cb35e5c22c13312906ec24858003da04acfe9641fb0618dea1832b9e98b4fa4a1ab147d0cbf188 |
C:\Users\Admin\AppData\Local\Temp\fd3c06c2-5a72-4c59-aae4-e3c4d44eca16.vbs
| MD5 | efe722e471a3bed1046883fc479b08ae |
| SHA1 | 4c72135b728406f6f989c83f4f4e6657fe692e3a |
| SHA256 | 1a0a1871252480460f084785c994c85a47dbd0930e0a4960c159b72e15e118af |
| SHA512 | 8a4d33ef853c664475dbbd91676516c76745b1297466d9fc317a8fa7349f884dce4e11abd303eac995cac47aadb03b1548f4144dc4198f2c01144d3bf94af8a4 |
C:\Users\Admin\AppData\Local\Temp\4056a0e5-8be1-49f6-9a0d-e8e81b2729da.vbs
| MD5 | b84abd48039b623fc1951a813a37ca39 |
| SHA1 | bdd69bf7dd7b651150a66bcce46fa40c79fb462e |
| SHA256 | 8184953b71a507ef526bc63acdc0819b3f1d6794139ff784a9cc94baef4615b7 |
| SHA512 | 2ad75618ea19bc47741ed8a8e21b6bad88a9527d284513ac0b527b0f88e818ff039a37aaf3c00f6cc7b6c41b1dad4dc973a2acfef22284683f3daa0802650259 |
memory/2932-270-0x0000000003520000-0x0000000003532000-memory.dmp
memory/2932-271-0x000000001BED0000-0x000000001BEE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cd3f9aff-b636-4d46-a07d-cd4d6c755796.vbs
| MD5 | 1dac5df35e7694c6f275c18606ddd5fc |
| SHA1 | 4e5f09855def22806fb970382b53e04627c424d3 |
| SHA256 | 114223bd14d3ef61d6637fa1ae1124ce8696c63cd4aa5aa11de17cb196f55a44 |
| SHA512 | 37a73886c13d3d21aaeccc30b601e3ebabd54dbb920a852a4dc19079988a0b4c2abebd3b75c8dfa09c0a4253396ffc5fc2041085f9dde1b81b15cfebf3515839 |
memory/1180-283-0x000000001B910000-0x000000001B922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5e771713-bd51-45d7-9670-408fe72300d5.vbs
| MD5 | 5b52979582df4c9714864160dbb144ea |
| SHA1 | 2ee9687b0356b59701c528b33af190134843fbd9 |
| SHA256 | be5182164b4803c0f29a9bae8ea7b61c9d03596b5a9b52ec95726bfb37129a35 |
| SHA512 | 603a2da0ffea3410c93687a4b710afbab9001bf029d14d69ec088b08b329d7003398752d2862e65f7b5943bd814fbf7965e70e9f774b4568c86ade88b0483657 |
C:\Users\Admin\AppData\Local\Temp\62404fd4-ac7f-4bdc-9c7a-25c0bde12778.vbs
| MD5 | f01b0b7343566056fa51f964da5782f0 |
| SHA1 | acb4f6fc253aef37c39be30eb77f5bbf6f89419e |
| SHA256 | 314d7e4c89ce3def775c6a483368b8242ec4ce355d775824e41601e39db5fbc5 |
| SHA512 | e6af7754cd7bcfeaa93e891fffe7168a11c2ad0f223d200e4acf6e6e277a88a4434031c73230bf950d03241bb8cce4560dd34b171b30825fdff890799cf6412d |
C:\Users\Admin\AppData\Local\Temp\6607471a-7435-4622-bace-e6335497f6e6.vbs
| MD5 | 0838fed9c29b2917cb8282513ba57d72 |
| SHA1 | d08777818f2b0f2e1b9020039c3ea733aece31a8 |
| SHA256 | 81212c74a8c3f917e281e351e823b79a560452e956aa2ed5a18ca6136c407f12 |
| SHA512 | dcafc80ef85fabfce4a67070831a384cdd44bbb2910c92d6eb5759849c430f5a14b36c173b18b1546af5c05f67929bb7b3ccd2c5b6d4eebc2453cd34fbe0dd4c |
C:\Users\Admin\AppData\Local\Temp\66604296-972c-4d0c-9513-4ff312614ef1.vbs
| MD5 | c28a7136fc7552aeb89c0b1623360712 |
| SHA1 | 660fd552005fcfbff031937cab68015bc76573ae |
| SHA256 | bae4d6016f1409c1ea8f07baf819597a8ca87e7b4ffefe1c9cf1508363e87534 |
| SHA512 | f4e937bb917892310a9b9bb52df47ebed7220fb3e9f9a7f06c7ac3c5e96eceac5230f32a722812647faa592c654f9096e8466d7dece58fbb0d5e3ac507ea9b52 |