Analysis Overview
SHA256
fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c
Threat Level: Known bad
The file fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Xworm
DcRat
Modifies WinLogon for persistence
UAC bypass
Detect Xworm Payload
DCRat payload
Detects Windows executables referencing non-Windows User-Agents
Detects executables packed with SmartAssembly
Disables Task Manager via registry modification
Drops startup file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
System policy modification
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry key
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 02:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 02:36
Reported
2024-06-12 02:39
Platform
win7-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\XClient.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\XClient.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\XClient.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Result.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| N/A | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| N/A | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| N/A | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| N/A | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\XClient.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\es-ES\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\XClient.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Documents\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Documents\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\es-ES\lsass.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files\Internet Explorer\es-ES\6203df4a6bafc7 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\ja-JP\f3b6ecef712a24 | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe
"C:\Users\Admin\AppData\Local\Temp\fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe"
C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe"
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
"C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\XClient.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\XClient.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\XClient.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
"C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98bdba43-eec8-4fdd-9fa0-0c969635944f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e60a880-416d-42fa-82c8-1f682511c342.vbs"
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb593ed6-fefa-4d0b-819d-3f8b117cab8b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd87264-36c8-49ab-b23e-7feb699b5a9c.vbs"
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1783b510-6c84-4bf5-9917-e5ef9c28a390.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eb9e371-c85e-4802-b052-7c5a77fc7c56.vbs"
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dwm.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a23e41d-7a85-422e-91aa-257451630e22.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49d51c61-1ebe-4fdb-ab00-adaf0937e12e.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | letter-takes.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
Files
\Users\Admin\AppData\Local\Temp\Result.exe
| MD5 | a8a4603bc85e306e0fdd17655e4820e4 |
| SHA1 | 5aa5d092a699c319c4d000f61eb526445b11662d |
| SHA256 | 4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a |
| SHA512 | 2b3b66aaecedd0669caadd835a02b22856e03e713657aa3fc597a9431e29cc3ec570881d4fdea23218a329ab537f1c181fc9fa3e11282e123bababe2f5596474 |
memory/2244-5-0x0000000000400000-0x00000000007BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
| MD5 | 57d593692c8428b66ed146e1fac689b7 |
| SHA1 | e9318d78efd4639d510ed9f39c8c3fca74ba9e14 |
| SHA256 | 9a75e3d28b75744ce468224b00ca5caedd73df7f71c797df2cbee2e9ac2d9a81 |
| SHA512 | 49293771dc734ca8802b0b9b8f61e77294819ab00983f5bb4f12205965e44abe2b5e5ead3ddf24fc8b5ab5392884b1422995c8b1e54b64fb693fcf3a50518f32 |
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | 95d7fc6faa389c5751de5c2f88d9580b |
| SHA1 | e6e7d542e3ec916464b77103b04e7f1722fe9a84 |
| SHA256 | a388d9b021ec9be1b20504d4673ac3388b64255b6b073bd4d3f348524b3e888b |
| SHA512 | c1b5d1ea1513225d1898eedb0344e08818703ccbd07f366970338cf83998dc32cf372d0367e6c128b356045a2c79164b8c17031be21553febf4da79ef7766fa2 |
\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 1be2b217087429a8397f448c9c7b8f8d |
| SHA1 | 4507e83e00cc18d738452d9217f4dfa19ca9d2de |
| SHA256 | d4482ca83d2a2dbd011c63739477e90893728af1a0b4e5fbc6413009573f7702 |
| SHA512 | 8588a0efaf8d857d773e5947d2ee7599559c1bdb139b5e28030e02aca6b93c0291ba80616ba06b3a96e50059d829b233cbf854ef807aa313cf8e7890613b8922 |
memory/2324-30-0x0000000000400000-0x00000000007DB000-memory.dmp
memory/2064-42-0x00000000013A0000-0x00000000013AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
| MD5 | cd2394b62b0e45e8f0fe6574406b69e4 |
| SHA1 | f85f70c37bb54ff9274f83b899f3127774687ddf |
| SHA256 | ec38aaa0de9073f8faa3feeaa3184c86162623f207331cd59e4cad94a68f4048 |
| SHA512 | d4ca9529dba04f0c19fd3ae2e3dd5b6e8292b87634168f26ad8d3cddfd63973ddab38e6f7aa393b6cab3c52b3e6d5360d07de8e5262bf064e09a64a608cf9058 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
| MD5 | 2d7ef4649d4d1191b1201674616cc588 |
| SHA1 | 88fb16975f9d9ef0512bc35f82b674215d856c24 |
| SHA256 | ea01569970e47289f27369c7019c9cd988d471bcc8b65337ec295806c419302d |
| SHA512 | b8cb8b6860a9fc892bc8398612c48b2c8c8e63ee10928a31e466a94255d7bbd0f22f2750621cd13364517c0a78fd887a09f005cafc7cfac5d72fb7d4a51b5489 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
| MD5 | 7ec6bc11e4b2e409845e3160ec47f5d7 |
| SHA1 | c1a1a62f844556fd150c7515e124e98bf6d79a02 |
| SHA256 | b59342163ea5752e627b1eb236f42a9882f15fdff96ca77eba7b20e416f4a4f3 |
| SHA512 | 6e6d00144c0f73ca595008074b716631d79a73a4770b75acdc5ccc743c81b1b36b92bcbaa24c5b6eec5f4d8d01026e33a70d9fff4a133af075fe493feacfdbd3 |
memory/2368-56-0x0000000000170000-0x00000000004DA000-memory.dmp
memory/2368-57-0x0000000000630000-0x000000000063E000-memory.dmp
memory/2368-58-0x0000000000640000-0x000000000064E000-memory.dmp
memory/2368-59-0x0000000000650000-0x0000000000658000-memory.dmp
memory/2368-60-0x0000000000900000-0x000000000091C000-memory.dmp
memory/2368-61-0x0000000000770000-0x0000000000778000-memory.dmp
memory/2368-62-0x0000000000920000-0x0000000000930000-memory.dmp
memory/2368-63-0x0000000000930000-0x0000000000946000-memory.dmp
memory/2368-64-0x0000000000950000-0x0000000000958000-memory.dmp
memory/2368-65-0x0000000002230000-0x0000000002242000-memory.dmp
memory/2368-66-0x0000000002220000-0x000000000222C000-memory.dmp
memory/2368-67-0x0000000002190000-0x0000000002198000-memory.dmp
memory/2368-68-0x0000000002240000-0x0000000002250000-memory.dmp
memory/2368-69-0x0000000002250000-0x000000000225A000-memory.dmp
memory/2368-70-0x000000001AAE0000-0x000000001AB36000-memory.dmp
memory/2368-71-0x0000000002260000-0x000000000226C000-memory.dmp
memory/2368-72-0x000000001AB30000-0x000000001AB38000-memory.dmp
memory/2368-73-0x000000001AF80000-0x000000001AF8C000-memory.dmp
memory/2368-74-0x000000001AF90000-0x000000001AF98000-memory.dmp
memory/2368-75-0x000000001AFA0000-0x000000001AFB2000-memory.dmp
memory/2368-76-0x000000001AFD0000-0x000000001AFDC000-memory.dmp
memory/2368-77-0x000000001AFE0000-0x000000001AFEC000-memory.dmp
memory/2368-78-0x000000001AFF0000-0x000000001AFF8000-memory.dmp
memory/2368-79-0x000000001B000000-0x000000001B00C000-memory.dmp
memory/2368-80-0x000000001B010000-0x000000001B01C000-memory.dmp
memory/2368-81-0x000000001B020000-0x000000001B028000-memory.dmp
memory/2368-82-0x000000001B030000-0x000000001B03C000-memory.dmp
memory/2368-83-0x000000001B040000-0x000000001B04A000-memory.dmp
memory/2368-84-0x000000001B050000-0x000000001B05E000-memory.dmp
memory/2368-85-0x000000001B060000-0x000000001B068000-memory.dmp
memory/2368-86-0x000000001B070000-0x000000001B07E000-memory.dmp
memory/2368-87-0x000000001B080000-0x000000001B088000-memory.dmp
memory/2368-88-0x000000001B090000-0x000000001B09C000-memory.dmp
memory/2368-89-0x000000001B0A0000-0x000000001B0A8000-memory.dmp
memory/2368-90-0x000000001B130000-0x000000001B13A000-memory.dmp
memory/2368-91-0x000000001B140000-0x000000001B14C000-memory.dmp
memory/2280-112-0x0000000001160000-0x00000000014CA000-memory.dmp
memory/2280-113-0x0000000000C30000-0x0000000000C42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98bdba43-eec8-4fdd-9fa0-0c969635944f.vbs
| MD5 | ed4ae8efbce9049e03e0feff18e1b3fb |
| SHA1 | 077c3130397d5bc4c95bbb2562fd0e1718fcda51 |
| SHA256 | 8e30d2db6860476987adff31d9c2dcf34b7fb0183390fc1fb665342cfdf175fe |
| SHA512 | 27da23273eedb66841bbb1d40f3c2fbd5b54d05652243acb2c51a285e517bbbccc8cc16867bfa3e7fc4d8d8eb60c9a760e63da72901dccda29e1e74fcaa13f30 |
C:\Users\Admin\AppData\Local\Temp\7e60a880-416d-42fa-82c8-1f682511c342.vbs
| MD5 | 2975e6aba7cd72f247813d3ce64bf953 |
| SHA1 | 2e4a709333b43dc9326fc59342df17c088aba485 |
| SHA256 | 7ad2c2d245a88a7997912fdd763cdbaf13525d6f0f774febe90176ae798746a9 |
| SHA512 | 1dff47122b656433e23b278c715b25084820a353caa62c47acccc47b8226b6dc4cb051ee2da5ccf0d89ba91cd77363a4f57ef063b79e573cdacfe9edc453606d |
memory/2508-124-0x0000000000CA0000-0x0000000000CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fb593ed6-fefa-4d0b-819d-3f8b117cab8b.vbs
| MD5 | 5de7e52c072bf81208cd4dfc023bdff1 |
| SHA1 | 50d1c74286891dc1d1c97eb22f01fc75411a747d |
| SHA256 | bb00339d2a480ec697c0d3f598c908352b7ef6922af9b0f0bff02cd2f293e6eb |
| SHA512 | ba5c3e2b313ddd47900547e9feb72eadcb8df0e313c2a84c922acb28e40940643b1b448e05f3fa5bbf88dbfb512fa5b0310939c0eb125a33196f008d1a10a69e |
memory/836-137-0x0000000000640000-0x0000000000696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1783b510-6c84-4bf5-9917-e5ef9c28a390.vbs
| MD5 | 27372d9727b63bffc172d764fddfbe77 |
| SHA1 | a39dc9aaef22c6a038f99d1e2a8a5d76e16bcb83 |
| SHA256 | aed5a201b88d16f802207d882deb589fd3bfc2064af6f2e3210eb4a915ea6fc2 |
| SHA512 | a0c7fb9eab12336da9772157a4f67ff71a8dbef531d0bb78226b2f22a29e5ac58b750dd449b997e44f16e603ef8ad038d968f7a7b267e781861c0e0ad2d45c15 |
memory/2400-149-0x00000000012F0000-0x000000000165A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8a23e41d-7a85-422e-91aa-257451630e22.vbs
| MD5 | c41b382459cae02f134f0dec823ddab4 |
| SHA1 | 3584656b0820973a5919f42c3be777add288af49 |
| SHA256 | bb01055d2874519d3fdd1594f215b28641ea280967a1d13c76da8b8ade44bc2b |
| SHA512 | 92e84c3b72c1c9fc8e0bcc841ea9272dc33055f766134308facac57f2d8a4fbd25863036e4e93cbbb125fd1ea6483e27804984cfb5c0fa977632605a3da226fd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 02:36
Reported
2024-06-12 02:39
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
DcRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
Xworm
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Result.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Admin\\Documents\\OneNote Notebooks\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\e6c9b481da804f | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe
"C:\Users\Admin\AppData\Local\Temp\fdef3bd7f14535f73bfcbe2741792c3c2c9cd10af69be1bd1bc1c41d5daeb71c.exe"
C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe"
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
"C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2521aa6-a54a-4a72-8fae-ee8f049824b9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e192578-0af2-4ad2-ae09-d6cc358680d5.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b0a1b2-997e-4bd4-a98e-9934fdd67d32.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93130fe9-2ce5-45c4-a2ba-15b4602ee324.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11dc08f5-5ae0-4657-9901-2c2740df7f45.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e94390b8-e936-452c-9b92-8f22ba36c684.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ca2e55-2361-4251-97dc-3c90827b1ff4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e191d032-5dad-4696-88a2-15c7e060e75b.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a17e083a-67c4-4655-a9b7-28cc04d4944c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13d5e2d1-713e-4a68-a9dc-cc772d74bc5d.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab93a831-113f-48e3-8d5b-5c1237521053.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea95294f-ae7f-44ab-b32c-fc35cd0c96f7.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77acc27e-fa24-4a93-9aa3-3c5ea0e5e03f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76d47666-295e-4b50-af61-ebd04f958d7c.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253861df-943f-4b71-9a67-2f98c9e4c8d4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b45026f-09ff-49d5-b4d1-f12238be36d8.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f50c925-e356-46b7-93d0-8bde0cb1a133.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bef319a6-b5a2-475d-b657-4430d531bbaa.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91a05f4-824b-42f5-9f7b-08a9dd789fed.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78cbeea6-61d7-4ae2-b552-3fa453ba0d3b.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cde6ef3a-aedf-4a65-b88f-3540dc7d75dc.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0491b8b-64c3-4884-9e84-08d38f44728c.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9449e654-3220-4903-b288-3815ba24112a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e227288d-29ba-4871-9045-779ffbce2b2d.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a807298-f327-4f1c-8d46-8664bc958b43.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab6f0ad6-09dd-4606-8404-a68f52470642.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2ce94f-e288-420c-9059-6a17d3b1ac09.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34d1ddd7-ad9d-4331-94af-e8a9f63a1fa6.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe
"C:\Program Files (x86)\MSBuild\Microsoft\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bec466b9-ca15-4384-85f1-5fe6603d3236.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef86a4ec-58f6-4138-9fed-90a86a225c53.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | letter-takes.gl.at.ply.gg | udp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | a0991799.xsph.ru | udp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 8.8.8.8:53 | 26.192.8.141.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
| US | 147.185.221.19:50230 | letter-takes.gl.at.ply.gg | tcp |
| RU | 141.8.192.26:80 | a0991799.xsph.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Result.exe
| MD5 | a8a4603bc85e306e0fdd17655e4820e4 |
| SHA1 | 5aa5d092a699c319c4d000f61eb526445b11662d |
| SHA256 | 4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a |
| SHA512 | 2b3b66aaecedd0669caadd835a02b22856e03e713657aa3fc597a9431e29cc3ec570881d4fdea23218a329ab537f1c181fc9fa3e11282e123bababe2f5596474 |
memory/3932-7-0x0000000000400000-0x00000000007BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Result.exe
| MD5 | 57d593692c8428b66ed146e1fac689b7 |
| SHA1 | e9318d78efd4639d510ed9f39c8c3fca74ba9e14 |
| SHA256 | 9a75e3d28b75744ce468224b00ca5caedd73df7f71c797df2cbee2e9ac2d9a81 |
| SHA512 | 49293771dc734ca8802b0b9b8f61e77294819ab00983f5bb4f12205965e44abe2b5e5ead3ddf24fc8b5ab5392884b1422995c8b1e54b64fb693fcf3a50518f32 |
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | 95d7fc6faa389c5751de5c2f88d9580b |
| SHA1 | e6e7d542e3ec916464b77103b04e7f1722fe9a84 |
| SHA256 | a388d9b021ec9be1b20504d4673ac3388b64255b6b073bd4d3f348524b3e888b |
| SHA512 | c1b5d1ea1513225d1898eedb0344e08818703ccbd07f366970338cf83998dc32cf372d0367e6c128b356045a2c79164b8c17031be21553febf4da79ef7766fa2 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 1be2b217087429a8397f448c9c7b8f8d |
| SHA1 | 4507e83e00cc18d738452d9217f4dfa19ca9d2de |
| SHA256 | d4482ca83d2a2dbd011c63739477e90893728af1a0b4e5fbc6413009573f7702 |
| SHA512 | 8588a0efaf8d857d773e5947d2ee7599559c1bdb139b5e28030e02aca6b93c0291ba80616ba06b3a96e50059d829b233cbf854ef807aa313cf8e7890613b8922 |
memory/4472-37-0x0000000000400000-0x00000000007DB000-memory.dmp
memory/1292-38-0x0000000000F20000-0x0000000000F2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
| MD5 | cd2394b62b0e45e8f0fe6574406b69e4 |
| SHA1 | f85f70c37bb54ff9274f83b899f3127774687ddf |
| SHA256 | ec38aaa0de9073f8faa3feeaa3184c86162623f207331cd59e4cad94a68f4048 |
| SHA512 | d4ca9529dba04f0c19fd3ae2e3dd5b6e8292b87634168f26ad8d3cddfd63973ddab38e6f7aa393b6cab3c52b3e6d5360d07de8e5262bf064e09a64a608cf9058 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
| MD5 | 2d7ef4649d4d1191b1201674616cc588 |
| SHA1 | 88fb16975f9d9ef0512bc35f82b674215d856c24 |
| SHA256 | ea01569970e47289f27369c7019c9cd988d471bcc8b65337ec295806c419302d |
| SHA512 | b8cb8b6860a9fc892bc8398612c48b2c8c8e63ee10928a31e466a94255d7bbd0f22f2750621cd13364517c0a78fd887a09f005cafc7cfac5d72fb7d4a51b5489 |
C:\Users\Admin\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
| MD5 | 7ec6bc11e4b2e409845e3160ec47f5d7 |
| SHA1 | c1a1a62f844556fd150c7515e124e98bf6d79a02 |
| SHA256 | b59342163ea5752e627b1eb236f42a9882f15fdff96ca77eba7b20e416f4a4f3 |
| SHA512 | 6e6d00144c0f73ca595008074b716631d79a73a4770b75acdc5ccc743c81b1b36b92bcbaa24c5b6eec5f4d8d01026e33a70d9fff4a133af075fe493feacfdbd3 |
memory/4688-60-0x0000000000760000-0x0000000000ACA000-memory.dmp
memory/4688-61-0x0000000002DF0000-0x0000000002DFE000-memory.dmp
memory/4688-62-0x0000000002E00000-0x0000000002E0E000-memory.dmp
memory/4688-63-0x0000000002E10000-0x0000000002E18000-memory.dmp
memory/4688-64-0x0000000002E20000-0x0000000002E3C000-memory.dmp
memory/4688-65-0x000000001B6B0000-0x000000001B700000-memory.dmp
memory/4688-67-0x0000000002E50000-0x0000000002E60000-memory.dmp
memory/4688-66-0x0000000002E40000-0x0000000002E48000-memory.dmp
memory/4688-69-0x000000001B660000-0x000000001B668000-memory.dmp
memory/4688-68-0x0000000002E70000-0x0000000002E86000-memory.dmp
memory/4688-70-0x000000001B680000-0x000000001B692000-memory.dmp
memory/4688-71-0x000000001B670000-0x000000001B67C000-memory.dmp
memory/4688-72-0x000000001B690000-0x000000001B698000-memory.dmp
memory/4688-73-0x000000001B6A0000-0x000000001B6B0000-memory.dmp
memory/4688-74-0x000000001B700000-0x000000001B70A000-memory.dmp
memory/4688-75-0x000000001BF50000-0x000000001BFA6000-memory.dmp
memory/4688-76-0x000000001B710000-0x000000001B71C000-memory.dmp
memory/4688-77-0x000000001B720000-0x000000001B728000-memory.dmp
memory/4688-78-0x000000001B730000-0x000000001B73C000-memory.dmp
memory/4688-79-0x000000001BFA0000-0x000000001BFA8000-memory.dmp
memory/4688-80-0x000000001BFB0000-0x000000001BFC2000-memory.dmp
memory/4688-81-0x000000001C510000-0x000000001CA38000-memory.dmp
memory/4688-82-0x000000001BFE0000-0x000000001BFEC000-memory.dmp
memory/4688-83-0x000000001BFF0000-0x000000001BFFC000-memory.dmp
memory/4688-84-0x000000001C000000-0x000000001C008000-memory.dmp
memory/4688-85-0x000000001C010000-0x000000001C01C000-memory.dmp
memory/4688-86-0x000000001C020000-0x000000001C02C000-memory.dmp
memory/4688-87-0x000000001C2A0000-0x000000001C2A8000-memory.dmp
memory/4688-88-0x000000001C130000-0x000000001C13C000-memory.dmp
memory/4688-89-0x000000001C140000-0x000000001C14A000-memory.dmp
memory/4688-90-0x000000001C150000-0x000000001C15E000-memory.dmp
memory/4688-92-0x000000001C270000-0x000000001C27E000-memory.dmp
memory/4688-91-0x000000001C260000-0x000000001C268000-memory.dmp
memory/4688-93-0x000000001C280000-0x000000001C288000-memory.dmp
memory/4688-94-0x000000001C290000-0x000000001C29C000-memory.dmp
memory/4688-95-0x000000001C2B0000-0x000000001C2B8000-memory.dmp
memory/4688-96-0x000000001C3C0000-0x000000001C3CA000-memory.dmp
memory/4688-97-0x000000001C2C0000-0x000000001C2CC000-memory.dmp
memory/4668-115-0x000000001BB70000-0x000000001BB82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c2521aa6-a54a-4a72-8fae-ee8f049824b9.vbs
| MD5 | 4d033c538b157474fe6a81b1d26adf5b |
| SHA1 | 7b730d64f562df56b51c62eb37bfaf04d4864018 |
| SHA256 | 6bca430e5bc06bf3a6c04447fd3b5121e666c94d4e8aeb5e05336e3348660de6 |
| SHA512 | 10d896aa24c462094789129efc409eabf151992b70ddee2e8f5fa7b866e27507f7f3cf534e51f24aba41bda71b27eb2ae67d38df44826ed6987a36771d360dc3 |
C:\Users\Admin\AppData\Local\Temp\6e192578-0af2-4ad2-ae09-d6cc358680d5.vbs
| MD5 | ab666b590c21ce33153b5020fdd3e7e1 |
| SHA1 | 6a3fa1294620ce159cc98b9d509dbde40b0049aa |
| SHA256 | 6c0341e27582f1f9fec8bfb2a727b759551e926a6be22f9a50e6c898b0eb3057 |
| SHA512 | 0b0ef9ea468af1ece2fc387d53f2f82fbda6b48a4ec75d856e5bfce067623cb6aed4cd0266fe0a01798a90d573ecd86faa5bda01c7e73202d316ae3d1d5e4b5d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log
| MD5 | 49b64127208271d8f797256057d0b006 |
| SHA1 | b99bd7e2b4e9ed24de47fb3341ea67660b84cca1 |
| SHA256 | 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77 |
| SHA512 | f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e |
memory/3544-128-0x000000001B8D0000-0x000000001B8E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15b0a1b2-997e-4bd4-a98e-9934fdd67d32.vbs
| MD5 | cb94432ad01372cef542bcf99a61d19e |
| SHA1 | 5b567e841958a6d89d32877033c00432df3699bd |
| SHA256 | 7fbe538bb0f9ec0bcb6012a110e0559fc4fff1b31b8ec6821c8e972ae8607bfb |
| SHA512 | 86279b39e75419d1b95922866f832f981211f9e321b7543748bb87064cc42cb22b335ad3966eb365f6d936332f32e35f882a41bf61708459c77b8445dcddf6c0 |
memory/5016-140-0x000000001BC50000-0x000000001BC62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11dc08f5-5ae0-4657-9901-2c2740df7f45.vbs
| MD5 | 79c576b25a33a35d431fa9d344404b7d |
| SHA1 | 75ba2be336ddcfcbdbb0aabf29f0d0d296e38467 |
| SHA256 | 7271efe6c8eb68144326cefeff6b00d6d8469247c035ef1f309b6f3cac065cc1 |
| SHA512 | ec6edca040148b603ceed055c88c5b8f3497c41518d500e85c3218f12bb052bb794e91aa8c02a853f4718d4fd39736e7550cc3ea83b289ce3c9b90b82f08730e |
C:\Users\Admin\AppData\Local\Temp\d6ca2e55-2361-4251-97dc-3c90827b1ff4.vbs
| MD5 | bb1ddc7b463c28e1ef88fedd52f07fbd |
| SHA1 | f7a5380b43a94928734e3a2af7a90bc6792f5f9d |
| SHA256 | 0acf70e035c335e2ceedf690cd0d592a0af1174980f3a7dd8b75fba092dd66a4 |
| SHA512 | 498a179f83aea3abe46fdd556465896336c5733c7df4626ebcd1620606c3b01a289c9650537004a5b53b2173c4a5abb4f4d8b1adab1203a1308f9be7f3995c32 |
C:\Users\Admin\AppData\Local\Temp\a17e083a-67c4-4655-a9b7-28cc04d4944c.vbs
| MD5 | b9925f848b757bd00b85018f5ed140ef |
| SHA1 | ff97d2555db92b51334ad5b492508ead6aa0f7e8 |
| SHA256 | c95e65d4f6acd9ba084cf827dc163fb7ef131d519ec0c292925f1b7d23193c98 |
| SHA512 | ad866c4ad6a8d10422d7b8fd8fbf88f7201a21da90b84974b7a481b44021f8e53d647c5b7523355dc9076b053578d313ecd426c1679bea3158786089dcddd56a |
memory/2212-174-0x000000001B980000-0x000000001B992000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ab93a831-113f-48e3-8d5b-5c1237521053.vbs
| MD5 | f111e1528a47d3e3a8f1068b637c0cf9 |
| SHA1 | 252ba556c7149a84df10f57ad7f6fe1d6a499576 |
| SHA256 | 4c772b6c0064da4870def25cc48c8d4e680cf75edd8f18eea1a4ff9a558224c1 |
| SHA512 | 6349b45e72405b5489846c215aeee0af9de87fb0c025f52d05f9aa8e8827897de0499b1d5a6bd1fc2ceac033c6e35de0c1565bc5b8aad0a94f26b8d68a7140d6 |
C:\Users\Admin\AppData\Local\Temp\77acc27e-fa24-4a93-9aa3-3c5ea0e5e03f.vbs
| MD5 | 800cc4ad8e3defde18dc8352aa643580 |
| SHA1 | 42f322a6114f50c952d921e94ebce96aa045639e |
| SHA256 | 1d29f1c9432d8fb830114369eb61f9b73cb2e6c37659f1f497156fb0f6a11921 |
| SHA512 | b1ecb871a3ab73a8035d370d6506732a6145a806a44c03c6eff1a339f987bf9653aa138b443ec4817923d0ea65753ce01bfb22d622d059cae45faca067f54d96 |
memory/2588-198-0x0000000001C70000-0x0000000001C82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\253861df-943f-4b71-9a67-2f98c9e4c8d4.vbs
| MD5 | 0d3893629d9f4769e96ad8de39fda69f |
| SHA1 | 23d784dd1c5ff0af708c40b5bc868725224a8264 |
| SHA256 | c453ff4bb193e70d3cbe09ca8d948a6bf4039e8415245ff3c9b8fc34bbb0692a |
| SHA512 | dd5162426a616c2692fb183ace0eccd327562f79712ad1ac46b6be41722cd095b98af03cce42aee1138e419cd7023afc497de780f945cea665a08adef3c6fe60 |
C:\Users\Admin\AppData\Local\Temp\7f50c925-e356-46b7-93d0-8bde0cb1a133.vbs
| MD5 | 2498a1e2cc717789f756e51acc90214e |
| SHA1 | 3310301f0d7e15c1005ce503f4abb50110e04cf3 |
| SHA256 | 4165465e3966f717bad4c8f8808a38626ee016c7117746ebfe13ad0bee85544f |
| SHA512 | b02b7c6879ad003c00c235edea0393aa5114166515e602add22660757d6d497bb490f80f433d616c014c7d5d5580c279781aa4f10f29fbb8a0e8fb96991322b2 |
memory/3128-221-0x0000000003110000-0x0000000003122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c91a05f4-824b-42f5-9f7b-08a9dd789fed.vbs
| MD5 | ffc71673d0f4c390959c60080ef9e498 |
| SHA1 | 37c4cf285f8177a166765d571980b2bfe82c1550 |
| SHA256 | e845308111d5c2dba73b4a17eaa5e2afd30ed71f68327cd9f670470ab6618774 |
| SHA512 | 7ea44b26c396867a6e2e27870e5a2b9014744f8446c76313c0f4bae4181d7e3702c0df99032d33da3021b0d46c5673a773ad4a2d61ff4b6ef38c91d42bc9401d |
memory/3952-233-0x000000001B520000-0x000000001B532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cde6ef3a-aedf-4a65-b88f-3540dc7d75dc.vbs
| MD5 | dd69928688df6e9814f61667b96680ae |
| SHA1 | 248905a125215d406603b3a324ec8421946ba254 |
| SHA256 | fdd890ce30ac7c34c04b3dd59e4baa91ffa4baa82c0f7eafdbc58094c0d2a25f |
| SHA512 | cd18a21b28e359a24906c8ec53514a9ac539f86e8c0d5f479804d574e8489f02233a58ead77134b524613be296f71db5ab4badba679006e45f23aab2382ef1e3 |
C:\Users\Admin\AppData\Local\Temp\9449e654-3220-4903-b288-3815ba24112a.vbs
| MD5 | 4d2f350a8eaaf7ac04762f06c18eda07 |
| SHA1 | f35427ac5b32c73303f5c410eae10572f092a009 |
| SHA256 | bb07b9358b302bcc67e38ca4027e49a5080929235d273c507bc9f817368208c8 |
| SHA512 | 1f6e146a847e018ce378469d99d2dbbf9b429aea58ded69068e641dc8f3301f6f7fa2c5a8672ce3289ec6fcde7383350b56845a246f2c1090519509f9f148c54 |
memory/872-264-0x000000001B530000-0x000000001B542000-memory.dmp
memory/4320-272-0x000000001B080000-0x000000001B092000-memory.dmp
memory/4320-273-0x000000001B120000-0x000000001B176000-memory.dmp