Analysis Overview
SHA256
4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a
Threat Level: Known bad
The file 4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Xworm
Detect Xworm Payload
DcRat
Process spawned unexpected child process
Detects Windows executables referencing non-Windows User-Agents
DCRat payload
Detects executables packed with SmartAssembly
Disables Task Manager via registry modification
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops startup file
Adds Run key to start application
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Task Scheduler COM API
Modifies registry key
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 01:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 01:24
Reported
2024-06-12 01:27
Platform
win7-20240221-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
DcRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Migration\\taskhost.exe\", \"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\", \"C:\\Windows\\Logs\\winlogon.exe\", \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\Idle.exe\", \"C:\\MSOCache\\All Users\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Migration\\taskhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Migration\\taskhost.exe\", \"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Migration\\taskhost.exe\", \"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\", \"C:\\Windows\\Logs\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Migration\\taskhost.exe\", \"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\", \"C:\\Windows\\Logs\\winlogon.exe\", \"C:\\Users\\Public\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Migration\\taskhost.exe\", \"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\", \"C:\\Windows\\Logs\\winlogon.exe\", \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| N/A | N/A | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Migration\\taskhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Logs\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\inf\\BITS\\040C\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Migration\\taskhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Logs\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PLA\\Rules\\fr-FR\\winlogon.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\6ccacd8608530f | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Public\Pictures\Sample Pictures\csrss.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a.exe
"C:\Users\Admin\AppData\Local\Temp\4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe"
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
"C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Rules\fr-FR\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Rules\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Migration\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\BITS\040C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\BITS\040C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\BITS\040C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Logs\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a209358-c1a6-4390-8bd9-4b55c5e74fe6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f82abca4-095c-4e76-b4a3-3e628395c33f.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac37528-c4f4-414c-b246-0b13265c9965.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ecf3cd4-5126-4268-8c85-5f66a6457014.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f940552-1dea-43f6-b00c-9bd1e5d7bfd0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc88c566-45b2-4b7b-a6c7-20a0f559b29f.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b0217b0-b674-4159-93ec-d867d3b4f25d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e0e7b2a-9835-4396-9781-1cb92603bc7e.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c175c62f-1951-44cc-87f3-1a243ada1afc.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebbc7579-85dc-4ca3-a0f8-73e426cbb3ec.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d724ce16-3e9a-4c7e-a42c-bcb20b79abc3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a5bfa3-b8b7-476d-b1be-74ccbfe3380c.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0931d4bc-2ba7-46cd-894a-dfc315e165ea.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeea8691-cbe2-4982-aeb2-ccddf9b5c2e4.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a677508c-d60a-4288-a6c7-bfaace1165c2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e46a7347-b86a-4ec0-9acb-1e7f7dfc7576.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a315e66-1adb-40c9-a9fa-1cccbeb65fd4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a911858c-8ce6-4a4e-9a25-99d2f7a05dee.vbs"
C:\Users\Public\Pictures\Sample Pictures\csrss.exe
"C:\Users\Public\Pictures\Sample Pictures\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:50230 | tcp | |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| N/A | 127.0.0.1:50230 | tcp | |
| N/A | 127.0.0.1:50230 | tcp | |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 8.8.8.8:53 | letter-takes.gl.at.ply.gg | udp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
| MD5 | 57d593692c8428b66ed146e1fac689b7 |
| SHA1 | e9318d78efd4639d510ed9f39c8c3fca74ba9e14 |
| SHA256 | 9a75e3d28b75744ce468224b00ca5caedd73df7f71c797df2cbee2e9ac2d9a81 |
| SHA512 | 49293771dc734ca8802b0b9b8f61e77294819ab00983f5bb4f12205965e44abe2b5e5ead3ddf24fc8b5ab5392884b1422995c8b1e54b64fb693fcf3a50518f32 |
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | 95d7fc6faa389c5751de5c2f88d9580b |
| SHA1 | e6e7d542e3ec916464b77103b04e7f1722fe9a84 |
| SHA256 | a388d9b021ec9be1b20504d4673ac3388b64255b6b073bd4d3f348524b3e888b |
| SHA512 | c1b5d1ea1513225d1898eedb0344e08818703ccbd07f366970338cf83998dc32cf372d0367e6c128b356045a2c79164b8c17031be21553febf4da79ef7766fa2 |
\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 1be2b217087429a8397f448c9c7b8f8d |
| SHA1 | 4507e83e00cc18d738452d9217f4dfa19ca9d2de |
| SHA256 | d4482ca83d2a2dbd011c63739477e90893728af1a0b4e5fbc6413009573f7702 |
| SHA512 | 8588a0efaf8d857d773e5947d2ee7599559c1bdb139b5e28030e02aca6b93c0291ba80616ba06b3a96e50059d829b233cbf854ef807aa313cf8e7890613b8922 |
memory/2272-23-0x0000000000400000-0x00000000007DB000-memory.dmp
memory/2832-34-0x0000000000890000-0x000000000089E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
| MD5 | cd2394b62b0e45e8f0fe6574406b69e4 |
| SHA1 | f85f70c37bb54ff9274f83b899f3127774687ddf |
| SHA256 | ec38aaa0de9073f8faa3feeaa3184c86162623f207331cd59e4cad94a68f4048 |
| SHA512 | d4ca9529dba04f0c19fd3ae2e3dd5b6e8292b87634168f26ad8d3cddfd63973ddab38e6f7aa393b6cab3c52b3e6d5360d07de8e5262bf064e09a64a608cf9058 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
| MD5 | 2d7ef4649d4d1191b1201674616cc588 |
| SHA1 | 88fb16975f9d9ef0512bc35f82b674215d856c24 |
| SHA256 | ea01569970e47289f27369c7019c9cd988d471bcc8b65337ec295806c419302d |
| SHA512 | b8cb8b6860a9fc892bc8398612c48b2c8c8e63ee10928a31e466a94255d7bbd0f22f2750621cd13364517c0a78fd887a09f005cafc7cfac5d72fb7d4a51b5489 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
| MD5 | 7ec6bc11e4b2e409845e3160ec47f5d7 |
| SHA1 | c1a1a62f844556fd150c7515e124e98bf6d79a02 |
| SHA256 | b59342163ea5752e627b1eb236f42a9882f15fdff96ca77eba7b20e416f4a4f3 |
| SHA512 | 6e6d00144c0f73ca595008074b716631d79a73a4770b75acdc5ccc743c81b1b36b92bcbaa24c5b6eec5f4d8d01026e33a70d9fff4a133af075fe493feacfdbd3 |
memory/2800-49-0x00000000001D0000-0x000000000053A000-memory.dmp
memory/2800-50-0x00000000005B0000-0x00000000005BE000-memory.dmp
memory/2800-51-0x0000000000640000-0x000000000064E000-memory.dmp
memory/2800-52-0x00000000007C0000-0x00000000007C8000-memory.dmp
memory/2800-53-0x00000000007E0000-0x00000000007FC000-memory.dmp
memory/2800-54-0x0000000000800000-0x0000000000808000-memory.dmp
memory/2800-55-0x0000000000810000-0x0000000000820000-memory.dmp
memory/2800-56-0x0000000000820000-0x0000000000836000-memory.dmp
memory/2800-57-0x0000000000840000-0x0000000000848000-memory.dmp
memory/2800-58-0x00000000009E0000-0x00000000009F2000-memory.dmp
memory/2800-59-0x0000000000850000-0x000000000085C000-memory.dmp
memory/2800-60-0x0000000000A70000-0x0000000000A78000-memory.dmp
memory/2800-61-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/2800-62-0x0000000000A90000-0x0000000000A9A000-memory.dmp
memory/2800-63-0x0000000002560000-0x00000000025B6000-memory.dmp
memory/2800-64-0x0000000000AA0000-0x0000000000AAC000-memory.dmp
memory/2800-65-0x0000000000AB0000-0x0000000000AB8000-memory.dmp
memory/2800-66-0x0000000002400000-0x000000000240C000-memory.dmp
memory/2800-67-0x0000000002410000-0x0000000002418000-memory.dmp
memory/2800-68-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2800-69-0x0000000002430000-0x000000000243C000-memory.dmp
memory/2800-70-0x00000000025B0000-0x00000000025BC000-memory.dmp
memory/2800-71-0x00000000025C0000-0x00000000025C8000-memory.dmp
memory/2800-72-0x00000000025D0000-0x00000000025DC000-memory.dmp
memory/2800-73-0x00000000025E0000-0x00000000025EC000-memory.dmp
memory/2800-74-0x00000000025F0000-0x00000000025F8000-memory.dmp
memory/2800-75-0x0000000002600000-0x000000000260C000-memory.dmp
memory/2800-76-0x0000000002610000-0x000000000261A000-memory.dmp
memory/2800-77-0x000000001AAA0000-0x000000001AAAE000-memory.dmp
memory/2800-78-0x000000001AAB0000-0x000000001AAB8000-memory.dmp
memory/2800-79-0x000000001AAC0000-0x000000001AACE000-memory.dmp
memory/2800-80-0x000000001AAD0000-0x000000001AAD8000-memory.dmp
memory/2800-81-0x000000001AAE0000-0x000000001AAEC000-memory.dmp
memory/2800-82-0x000000001AAF0000-0x000000001AAF8000-memory.dmp
memory/2800-83-0x000000001AB00000-0x000000001AB0A000-memory.dmp
memory/2800-84-0x000000001AFC0000-0x000000001AFCC000-memory.dmp
memory/2756-107-0x00000000010C0000-0x000000000142A000-memory.dmp
memory/2756-108-0x0000000000A90000-0x0000000000AA2000-memory.dmp
memory/2756-109-0x0000000000BA0000-0x0000000000BB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3a209358-c1a6-4390-8bd9-4b55c5e74fe6.vbs
| MD5 | 5cef23cb73e30f0e7a6ec876fe2ff302 |
| SHA1 | 4dc2704dbb954a52c401d69cd5d6c54c881649ff |
| SHA256 | a332d120ed98aa7453020726359d448d489b9e1db1999d45a75e4d2463d01113 |
| SHA512 | aeee5728f90f6ea9f8ed577e4f9bea3d9ef91456229263d4e62a4e6c653013fd6aec4ef8e72805419e875ec35ae5f7a7e3555b1e3c6f523ac02d6606d7f8d293 |
C:\Users\Admin\AppData\Local\Temp\f82abca4-095c-4e76-b4a3-3e628395c33f.vbs
| MD5 | 726b5a7b2dca3ebff57e6535f93fe643 |
| SHA1 | 34f5396c5a7c99d98cf94e83fc4e4dcca8b30ba9 |
| SHA256 | 58e31aec01101c069bfe281c3933d518c1662b4b2affeba4ea53ebcdb8433e35 |
| SHA512 | 0145f5ecb38b41987602ff41410ca79aab4c9852c6a3ec353f86743c8eb2886fb938e6001958f9f1528d0163df5630da2dfdafca31d7e5e798be0c64ee75d5f7 |
C:\Users\Admin\AppData\Local\Temp\aac37528-c4f4-414c-b246-0b13265c9965.vbs
| MD5 | 4dd1da93b306c2c500d8d01a947acd8b |
| SHA1 | 7959acfef3830da5bf0f9a5b47e075d7fbfc1f0c |
| SHA256 | bfafb47b346f5494d48d68c59fd37509ff7e0c65e36923fa0d0429d3dcbb283e |
| SHA512 | 14334d2a97211da3851c43d315c08ae4c935ea8399d4a47d69c7db630716cab4969dfa194a8a4af09cefa23064641c29f4a530c4ee239d0dfca9ad235597f0b7 |
C:\Users\Admin\AppData\Local\Temp\3f940552-1dea-43f6-b00c-9bd1e5d7bfd0.vbs
| MD5 | baa4180db5c0e8c2f3c5c0416588a043 |
| SHA1 | 32c4e3efca1564bc08f1176c67a92ccdf736da6e |
| SHA256 | bab9f0a5f9b7ffe3bd9461497cbf7d7e4851d1440c84c91e1c40101e769ef350 |
| SHA512 | fd44785114fbcff7c89f2e9750b42000cecde16d2b7ec8edc3bd6a7d8eb33ae61ee149e3ad7ab34fc227959383168385476a9c5ea33bad1357e8dc6d2866302d |
memory/2712-142-0x00000000013D0000-0x000000000173A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2b0217b0-b674-4159-93ec-d867d3b4f25d.vbs
| MD5 | f1ec524d5f9c49059b2f900f0167619b |
| SHA1 | bedbe303c45fa3184dc899137d9a94fec1be57c7 |
| SHA256 | 8d596634244c40568296e1ccb7f2da6590c05752a2f275c3056de33675bb6aa5 |
| SHA512 | b726d062de5160b9def917ddd7979d494cc79ddd0ee3de802ac62f55c7fa94760bef140a9631bf891dce84a4a0b9950e5a3f4f5e0591191c354500226ad28730 |
memory/544-155-0x0000000000030000-0x000000000039A000-memory.dmp
memory/544-156-0x000000001AD60000-0x000000001AD72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c175c62f-1951-44cc-87f3-1a243ada1afc.vbs
| MD5 | a1d03a33d8176bfb00a31079a5388937 |
| SHA1 | be9531b8bd2efe39219cfe49824de53254dfb769 |
| SHA256 | 74cdccf5c015f0896a2d67f6815fe740c79392c1845ce4141b06a65f4f793ed4 |
| SHA512 | 6c4247ca37c01032b7abdc5dce95946e7c81782a1e1f27586e70c41555484bf3a4e752e55473f3e56bf669f4919ed87a7399cd4bd335222fae7951c4660a0234 |
memory/936-168-0x0000000001360000-0x00000000016CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d724ce16-3e9a-4c7e-a42c-bcb20b79abc3.vbs
| MD5 | 45b826002a47c352524fef21a2ab99c7 |
| SHA1 | 84cfb405068b3edce4f4988e3735657e79902b77 |
| SHA256 | 865dcbb07c75d3db72084ed88ff006127ac33f1e5839bb15f39a646b0e17d3d2 |
| SHA512 | ba35179bc6e7692032a66a49d5dc6553026ed2b5aad0b0ac6cc667f5e88c0ea8cb6d16f228e79191bb8e72bd7bb5ebc326b211081297a6562206b172fe218f07 |
memory/2136-180-0x0000000000880000-0x0000000000892000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0931d4bc-2ba7-46cd-894a-dfc315e165ea.vbs
| MD5 | e78e46cdd2227cbbe8c96f7ca369edab |
| SHA1 | 5e09893f1108b814c012837a1c23f26b013d09ba |
| SHA256 | 2b5d124ce9212f9874668b76e475f15490de734325ad782c4fed8c6d61d2265f |
| SHA512 | 8fb4fd793e685b204cb04e71509391c41c773d6e468e4207de07fb5ae417bc2fbe900a8a013d969c968586d49fdd5701fcb409deaef0c87c3cf0a6603c9859db |
memory/2224-192-0x0000000000980000-0x0000000000CEA000-memory.dmp
memory/2224-193-0x00000000024B0000-0x00000000024C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a677508c-d60a-4288-a6c7-bfaace1165c2.vbs
| MD5 | f4bf528175d662ae985c0ff04c2153ef |
| SHA1 | d0b497ecc2a05f57cea996b68ff7679e104f8067 |
| SHA256 | ec931287f5ab5f29c3d64843b13b40ceaa0921a66aaf97a38c2f7b9fa2eb88b8 |
| SHA512 | 281c35cf259bde241175b80f815875845fb970d4663740aa76b8d08bab4ed330eb09e706dc31015c134faa79f81dbbd4567ab088a0a06b3032c00c453f05e7af |
memory/3012-205-0x0000000000FB0000-0x000000000131A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6a315e66-1adb-40c9-a9fa-1cccbeb65fd4.vbs
| MD5 | a9db23916e32330ce9a25e37fa566a73 |
| SHA1 | 381ee1f805fb501e5a3067fb9d61528c2f9f82b2 |
| SHA256 | d14e56dda9fd6f18c6d43dfe77aaaf67de739f3eb2c7643190898e35fe6e9694 |
| SHA512 | 4e2cb96ab4039edfeb350fbdcebaad48fb6f7da8f06d5aa67ea263043a77c4b2c813ae6881f3575029ae3b628666b783d886a7e59bfe331da770bf2b548195dd |
memory/2388-217-0x00000000001F0000-0x000000000055A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 01:24
Reported
2024-06-12 01:27
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
DcRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\", \"C:\\Users\\Admin\\Searches\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\", \"C:\\Users\\Admin\\Searches\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\", \"C:\\Users\\Admin\\Searches\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msedge.exe\", \"C:\\Windows\\System32\\sv-SE\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\", \"C:\\Users\\Admin\\Searches\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msedge.exe\", \"C:\\Windows\\System32\\sv-SE\\Registry.exe\", \"C:\\Windows\\DigitalLocker\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\", \"C:\\Windows\\Tasks\\unsecapp.exe\", \"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Contacts\\cmd.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\", \"C:\\Users\\Admin\\Searches\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Tasks\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Admin\\Searches\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\Contacts\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\SearchApp.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\Contacts\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Admin\\Searches\\TextInputHost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\System32\\sv-SE\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\ja-JP\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\System32\\sv-SE\\Registry.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\smss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\SoftwareDistribution\\Download\\SharedFileCache\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msedge.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\ja-JP\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Tasks\\unsecapp.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\sv-SE\Registry.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Windows\System32\sv-SE\ee2ad38f3d4382 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Defender\ja-JP\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\smss.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\69ddcba757bf72 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\SearchApp.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msedge.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\61a52ddc9dd915 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\wininit.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\56085415360792 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\38384e6a620884 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Mozilla Firefox\defaults\smss.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a.exe
"C:\Users\Admin\AppData\Local\Temp\4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe"
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
"C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Tasks\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Contacts\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Searches\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\sv-SE\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\System32\sv-SE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\sv-SE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\fontdrvhost.exe'" /rl HIGHEST /f
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f10bd0d7-3ae2-4508-b009-0133ed8e8aad.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d0e77a-d68b-48b9-a4d2-b672c34a7d09.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a5c6b12-c5ab-4354-b818-ac5bce5451ce.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ec27bc-2b40-4137-b468-964fd0adfe24.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a80c772-d646-4748-8d97-63b4c1e36990.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c5d108d-53f5-45e6-87d8-8984c1126392.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dbf0d89-7fc1-4c1d-93fc-71783b96bb5a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0876e42a-91da-41fd-a24c-0e98a39caaac.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\223d0d37-3001-4e36-83ed-c912d6ed0086.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a623cc56-4abd-406d-a73c-14d86a51930d.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb44dca9-0c60-4261-837b-f1f83e8ba51c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\304236ec-8ab8-4a27-8301-b1c180972001.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10519baa-b2a7-427d-aece-c27717b4f631.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecf8258f-106a-441e-98f0-a94a9922fcd0.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e284267-3167-4bc2-93c3-620d60649688.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05ca683f-d865-4f43-8ac9-d768c952a61f.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c8a8c8-dd57-4911-9906-793d777e379c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3a9d35a-9dae-4e8b-8d2a-e3589c7f1626.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\962fb79f-f1ff-4479-855b-ae05537cc66d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9dad734-6b8b-46a8-8503-3af8c6695b43.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060e4316-14cb-497a-899d-6262d24cbb87.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6331f0-54b4-4e61-b8c5-6a98c80eb244.vbs"
C:\Program Files\Mozilla Firefox\defaults\smss.exe
"C:\Program Files\Mozilla Firefox\defaults\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb09df1-b96e-4825-a525-c4b3f659bede.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02bf6811-ac3f-4e21-957a-316946ab046f.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | letter-takes.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| N/A | 127.0.0.1:50230 | tcp | |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| N/A | 127.0.0.1:50230 | tcp | |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | letter-takes.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
| MD5 | 57d593692c8428b66ed146e1fac689b7 |
| SHA1 | e9318d78efd4639d510ed9f39c8c3fca74ba9e14 |
| SHA256 | 9a75e3d28b75744ce468224b00ca5caedd73df7f71c797df2cbee2e9ac2d9a81 |
| SHA512 | 49293771dc734ca8802b0b9b8f61e77294819ab00983f5bb4f12205965e44abe2b5e5ead3ddf24fc8b5ab5392884b1422995c8b1e54b64fb693fcf3a50518f32 |
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | 95d7fc6faa389c5751de5c2f88d9580b |
| SHA1 | e6e7d542e3ec916464b77103b04e7f1722fe9a84 |
| SHA256 | a388d9b021ec9be1b20504d4673ac3388b64255b6b073bd4d3f348524b3e888b |
| SHA512 | c1b5d1ea1513225d1898eedb0344e08818703ccbd07f366970338cf83998dc32cf372d0367e6c128b356045a2c79164b8c17031be21553febf4da79ef7766fa2 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 1be2b217087429a8397f448c9c7b8f8d |
| SHA1 | 4507e83e00cc18d738452d9217f4dfa19ca9d2de |
| SHA256 | d4482ca83d2a2dbd011c63739477e90893728af1a0b4e5fbc6413009573f7702 |
| SHA512 | 8588a0efaf8d857d773e5947d2ee7599559c1bdb139b5e28030e02aca6b93c0291ba80616ba06b3a96e50059d829b233cbf854ef807aa313cf8e7890613b8922 |
memory/1436-28-0x0000000000400000-0x00000000007DB000-memory.dmp
memory/3180-29-0x0000000000DF0000-0x0000000000DFE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
| MD5 | cd2394b62b0e45e8f0fe6574406b69e4 |
| SHA1 | f85f70c37bb54ff9274f83b899f3127774687ddf |
| SHA256 | ec38aaa0de9073f8faa3feeaa3184c86162623f207331cd59e4cad94a68f4048 |
| SHA512 | d4ca9529dba04f0c19fd3ae2e3dd5b6e8292b87634168f26ad8d3cddfd63973ddab38e6f7aa393b6cab3c52b3e6d5360d07de8e5262bf064e09a64a608cf9058 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
| MD5 | 2d7ef4649d4d1191b1201674616cc588 |
| SHA1 | 88fb16975f9d9ef0512bc35f82b674215d856c24 |
| SHA256 | ea01569970e47289f27369c7019c9cd988d471bcc8b65337ec295806c419302d |
| SHA512 | b8cb8b6860a9fc892bc8398612c48b2c8c8e63ee10928a31e466a94255d7bbd0f22f2750621cd13364517c0a78fd887a09f005cafc7cfac5d72fb7d4a51b5489 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
| MD5 | 7ec6bc11e4b2e409845e3160ec47f5d7 |
| SHA1 | c1a1a62f844556fd150c7515e124e98bf6d79a02 |
| SHA256 | b59342163ea5752e627b1eb236f42a9882f15fdff96ca77eba7b20e416f4a4f3 |
| SHA512 | 6e6d00144c0f73ca595008074b716631d79a73a4770b75acdc5ccc743c81b1b36b92bcbaa24c5b6eec5f4d8d01026e33a70d9fff4a133af075fe493feacfdbd3 |
memory/2612-51-0x0000000000710000-0x0000000000A7A000-memory.dmp
memory/2612-52-0x0000000002AF0000-0x0000000002AFE000-memory.dmp
memory/2612-53-0x000000001B590000-0x000000001B59E000-memory.dmp
memory/2612-54-0x000000001B5A0000-0x000000001B5A8000-memory.dmp
memory/2612-55-0x000000001B5B0000-0x000000001B5CC000-memory.dmp
memory/2612-56-0x000000001BD80000-0x000000001BDD0000-memory.dmp
memory/2612-57-0x000000001B5D0000-0x000000001B5D8000-memory.dmp
memory/2612-58-0x000000001B5E0000-0x000000001B5F0000-memory.dmp
memory/2612-60-0x000000001BD30000-0x000000001BD38000-memory.dmp
memory/2612-59-0x000000001B700000-0x000000001B716000-memory.dmp
memory/2612-61-0x000000001BD40000-0x000000001BD52000-memory.dmp
memory/2612-62-0x000000001BD60000-0x000000001BD6C000-memory.dmp
memory/2612-63-0x000000001BD50000-0x000000001BD58000-memory.dmp
memory/2612-64-0x000000001BD70000-0x000000001BD80000-memory.dmp
memory/2612-65-0x000000001BED0000-0x000000001BEDA000-memory.dmp
memory/2612-66-0x000000001BEE0000-0x000000001BF36000-memory.dmp
memory/2612-67-0x000000001BF30000-0x000000001BF3C000-memory.dmp
memory/2612-69-0x000000001C050000-0x000000001C05C000-memory.dmp
memory/2612-68-0x000000001BF40000-0x000000001BF48000-memory.dmp
memory/2612-70-0x000000001BF50000-0x000000001BF58000-memory.dmp
memory/2612-71-0x000000001BF60000-0x000000001BF72000-memory.dmp
memory/2612-72-0x000000001C590000-0x000000001CAB8000-memory.dmp
memory/2612-73-0x000000001BF90000-0x000000001BF9C000-memory.dmp
memory/2612-74-0x000000001BFA0000-0x000000001BFAC000-memory.dmp
memory/2612-75-0x000000001BFB0000-0x000000001BFB8000-memory.dmp
memory/2612-76-0x000000001BFC0000-0x000000001BFCC000-memory.dmp
memory/2612-77-0x000000001BFD0000-0x000000001BFDC000-memory.dmp
memory/2612-78-0x000000001BFE0000-0x000000001BFE8000-memory.dmp
memory/2612-79-0x000000001BFF0000-0x000000001BFFC000-memory.dmp
memory/2612-80-0x000000001C000000-0x000000001C00A000-memory.dmp
memory/2612-83-0x000000001C030000-0x000000001C03E000-memory.dmp
memory/2612-82-0x000000001C020000-0x000000001C028000-memory.dmp
memory/2612-85-0x000000001C260000-0x000000001C26C000-memory.dmp
memory/2612-84-0x000000001C040000-0x000000001C048000-memory.dmp
memory/2612-87-0x000000001C280000-0x000000001C28A000-memory.dmp
memory/2612-81-0x000000001C010000-0x000000001C01E000-memory.dmp
memory/2612-86-0x000000001C270000-0x000000001C278000-memory.dmp
memory/2612-88-0x000000001C290000-0x000000001C29C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f10bd0d7-3ae2-4508-b009-0133ed8e8aad.vbs
| MD5 | 9846c964b6461e0849de2fc0f7319e48 |
| SHA1 | 77972922b1aa10199e04e21a8161c4c920efa181 |
| SHA256 | 17d9c504c54b62f8f4ccb2f83e248b28f65c3d84aa4dc055ec1c4c259b13d515 |
| SHA512 | 9ee32af1052bd977b90471d95d23f0766ef605fa2db607bc135710e9cbc8c673f3a91437d3135346843f36ac5c36e1d110005e34d82b779e00ec0392bbc32e79 |
C:\Users\Admin\AppData\Local\Temp\07d0e77a-d68b-48b9-a4d2-b672c34a7d09.vbs
| MD5 | 085be578c4401ba865cdf787eae8cfe3 |
| SHA1 | 3602e0411f46191795aa146477d57f4a8909e489 |
| SHA256 | 6f8e5361543926e2853ca71099ac91cdec35adf652ea4505e0b0c7e504aa9c1d |
| SHA512 | 31fc439a09a6c430db13e503a44739824804c639fc680a192f1be9c84065cfe299e3881ff97023dc5b2be5006a341bf636e702030ea92b810950cb58fb9fb20d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log
| MD5 | 49b64127208271d8f797256057d0b006 |
| SHA1 | b99bd7e2b4e9ed24de47fb3341ea67660b84cca1 |
| SHA256 | 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77 |
| SHA512 | f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e |
C:\Users\Admin\AppData\Local\Temp\3a5c6b12-c5ab-4354-b818-ac5bce5451ce.vbs
| MD5 | bf1034ba788f936d32e6a2e3555b2325 |
| SHA1 | 8878414e532aee1c944a0a469f75161d9aafd336 |
| SHA256 | 63f09d9d8a891118deb73501c4bedfc10b86c19e3129a199a527f4edf8d8ec45 |
| SHA512 | 869f7cd82dfbb72d0b50ae7d47e13919ca676deff5048537c21c72627e75d3b1b93720fcc334300dfd8c3dc836f09d7c9ed437ddf3064ebc7d902059a3b0e315 |
memory/4388-157-0x000000001BD40000-0x000000001BD52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2a80c772-d646-4748-8d97-63b4c1e36990.vbs
| MD5 | 332f5501dc69e20234a6544b6174c4f4 |
| SHA1 | 13bc2c6b07c51a27304ff247b1e786118a860a49 |
| SHA256 | 90a705e352b3a82b42eba9cd293f3f800eb0a37dbaa82d4881c34d772c430934 |
| SHA512 | e53a52bbee960ba13f10b9cae74e2cc5f18179f8ecd1cd3dfb6e75729fa5db4e8a3f166f6966d184e8b407d20351cb98e714cd5214a6e7681e167fcb255c3887 |
C:\Users\Admin\AppData\Local\Temp\4dbf0d89-7fc1-4c1d-93fc-71783b96bb5a.vbs
| MD5 | 728b93019c9879b2b47ec72319b6bee8 |
| SHA1 | f5f27cd7a93a2c4c8047c8711f380bf6bcdec863 |
| SHA256 | 1b85818efa8553881a4300f926c7b589aa0c3e3911c9816af80f7292dfb58560 |
| SHA512 | 7748bd26c03a7fdbfc72036cebf40d931be2f976d8d40ed213a0a94a14f70441ad45458b994ff7eb4c2e8488e8405bf72b707891017ca7251230c989689b8d95 |
C:\Users\Admin\AppData\Local\Temp\223d0d37-3001-4e36-83ed-c912d6ed0086.vbs
| MD5 | c8b3ce35b19da124716e353012a60ec2 |
| SHA1 | 4125c479bc1165dbb309674ee0fcbf4ef70eb233 |
| SHA256 | 2a33db1c3bbafefa43c0748f347b56a2b60df9c4c0ec71b0f5405d5ff49b6c79 |
| SHA512 | 9c93021ffd0cdb0b54d7e935b9752fdf81986c0041df7e8840215a1ae6b8ddc06a27c3cfe900dd62170b12bd6508c6d5025b2c7dbb9355ea88ee55592acd6bcb |
C:\Users\Admin\AppData\Local\Temp\bb44dca9-0c60-4261-837b-f1f83e8ba51c.vbs
| MD5 | 2376be0a22fdcdb14c28a9df0e636494 |
| SHA1 | ab3c86b541c492e3a2d71a273a55100f28267426 |
| SHA256 | bab918247326364cd013f55b8eb718e6e4002c4e5e283bbf5c1d6f6542dc6297 |
| SHA512 | 006ce69ae35cd78e0be39107ecc854ace004c4ba69078d2cb0363ad8e3c5e593e21bb92b9650e73e4cb3ff936c0aeed34ab4340a75a484910b9e43b05da42c25 |
C:\Users\Admin\AppData\Local\Temp\10519baa-b2a7-427d-aece-c27717b4f631.vbs
| MD5 | 72ee49ebf7d1e674a016e47654add1d8 |
| SHA1 | 9a6b20d4b06bf09bde8aef8380bb0fdd8bcfca4a |
| SHA256 | 6dc82e85be0ab166691852766861810ec1c59b58ef21b822ef2adca10e7cfa00 |
| SHA512 | d7f30a312427f67e9c70645ad9ea19e6fbfdc2478fe41136e30be899de6a7ed5062cb90d795d8dc0dd8cb85bbefa29e5382626164ef43a479c29dbeae9f2199c |
C:\Users\Admin\AppData\Local\Temp\7e284267-3167-4bc2-93c3-620d60649688.vbs
| MD5 | 2500cf0323a5267080b95afe30e7edbd |
| SHA1 | b34705efacf94175da0961bed5f36e3aada14f9e |
| SHA256 | 05e37063d19ba94b51e79ab9430048bc813b2e380c2f8365e05e34e26ec29d02 |
| SHA512 | d81c3039f3bc0579d07cc8736f3e4b382565e51b83d6330e9952da5a908cb74da91aefe6228b69fa2ef9f21da6afc8543e2690754ee6e81c483e241bfac33be2 |
C:\Users\Admin\AppData\Local\Temp\94c8a8c8-dd57-4911-9906-793d777e379c.vbs
| MD5 | beabbbdb040a4443142511384fdefb33 |
| SHA1 | 37379b9d8242a623ee68516def2e1fd361d924e6 |
| SHA256 | fd06a0262700481f483f934a9cdb39e08824ac9597a3b6b7c0b9db5ccfac7597 |
| SHA512 | 27b5abd900ba595faf0bb875ab01fda4e0a45dffe5151c76188fcca20b5c38a108e2ecec08f984fdf6d2c1d82279374efe9bcc08677a4efc71ace5eb55c5a206 |
C:\Users\Admin\AppData\Local\Temp\962fb79f-f1ff-4479-855b-ae05537cc66d.vbs
| MD5 | 92d85350bfef447d8291cd1f65c8391a |
| SHA1 | be442e722eaf97c68c3eb4a51abaffc488984497 |
| SHA256 | 257fb77a94ed6752510634aeebd59b677fb814c48b78dda71b5940e3ce581cb1 |
| SHA512 | bd5591e3deaabfef3c98db2dbeef580d98e2a905352a75ad7eadf2fab538948c243c6da282b20e85b25549f1d2f21287904e754c78af0413eed8086932442818 |
C:\Users\Admin\AppData\Local\Temp\060e4316-14cb-497a-899d-6262d24cbb87.vbs
| MD5 | 2bbadd3d44d7c3b488ccbdab29443819 |
| SHA1 | e62f4888b73cd138926f6a1899b31857ce08bcca |
| SHA256 | 2e73d32d704363f4b73607b4fa90954fac5163c69d03623b50d88d462583558d |
| SHA512 | b663042eabef1a32f61b3c5557968a06ecd214864870b5f6487bc30f7a4adf3da573ccf3cd2a8ea18428a5c336f8380124de4a3888f1f6906ee8198b26dec8e8 |
C:\Users\Admin\AppData\Local\Temp\3cb09df1-b96e-4825-a525-c4b3f659bede.vbs
| MD5 | 937076d0626d8abdb23343a2ad82121d |
| SHA1 | c5d3c3541787332af9f40f9e11692e8855fba4a4 |
| SHA256 | b93ffbd72021c3de4b7625eecf21df3427cafe1420b74da0e335449b4cc7e55a |
| SHA512 | a482a3ea121479bb22eebb8c65c7036314c0787a71e2239c6d54f595e7fc7db137101fda77f079df3e8d2bd4f2f03614b7c3af825418dfd6235abb958061c043 |