Malware Analysis Report

2024-11-15 05:52

Sample ID 240721-17m6hszdmk
Target NursultanCrack.exe
SHA256 c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9

Threat Level: Known bad

The file NursultanCrack.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

UAC bypass

DCRat payload

Modifies WinLogon for persistence

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 22:17

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 22:17

Reported

2024-07-21 22:20

Platform

win7-20240704-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Uninstall Information\6ccacd8608530f C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\", \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\spoolsv.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hypercommon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hypercommon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Hypercommon.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\spoolsv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\Idle.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\5940a34987c991 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Uninstall Information\6ccacd8608530f C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\6cb0b6c459d5d3 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\6203df4a6bafc7 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Uninstall Information\Idle.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Portable Devices\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\csrss.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\088424020bedd6 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Default User\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 1072 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 2560 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 2560 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 2560 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 2296 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Users\Default User\spoolsv.exe
PID 2296 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Users\Default User\spoolsv.exe
PID 2296 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Users\Default User\spoolsv.exe
PID 1720 wrote to memory of 1604 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 1604 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 1604 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 1772 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 1772 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1720 wrote to memory of 1772 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe

"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Hypercommon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8495b3a-9db8-4546-8c5d-bdd0435d60f4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fe43d45-72da-43a3-a071-f6cfe09cc118.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1008986.xsph.ru udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp

Files

C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe

MD5 2febca5513bbb1d2fb14b29bd4998314
SHA1 5fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256 d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA512 60a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c

C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat

MD5 6c77726beb17fe13c44cbc3312d1ca54
SHA1 919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256 e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA512 5089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

MD5 f1ca585436d62720be1c8d7f24fb773f
SHA1 3687e578f150e45aa5194f9c485b221459f0f454
SHA256 dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA512 9e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc

memory/2296-13-0x0000000000050000-0x00000000001C0000-memory.dmp

memory/2296-14-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/2296-15-0x00000000002D0000-0x00000000002EC000-memory.dmp

memory/2296-16-0x00000000002F0000-0x00000000002F8000-memory.dmp

memory/2296-18-0x00000000007D0000-0x00000000007D8000-memory.dmp

memory/2296-17-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/2296-19-0x00000000020F0000-0x00000000020F8000-memory.dmp

memory/2296-20-0x0000000002100000-0x0000000002110000-memory.dmp

memory/2296-21-0x0000000002110000-0x000000000211A000-memory.dmp

memory/2296-22-0x0000000002120000-0x000000000212C000-memory.dmp

memory/2296-23-0x0000000002130000-0x000000000213A000-memory.dmp

memory/1720-60-0x0000000000D60000-0x0000000000ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c8495b3a-9db8-4546-8c5d-bdd0435d60f4.vbs

MD5 9ff48d05a69ed8d8454b16ec89a821db
SHA1 3a51ddc504f5774b6bc70ab4b0263fe20e05759e
SHA256 2bfc9517ea0b46fc0a822edf463f53581bac45a7a4fc59073cf6324c795b7357
SHA512 22e086870ed4a43ddcacad432f5f5e40acf322734187a2492bce52cc1e023bcd00dd1f2a4a47afe8d8cbcb734a7f0142b10f9d452aa7ad9c32402c4bba82e597

C:\Users\Admin\AppData\Local\Temp\6fe43d45-72da-43a3-a071-f6cfe09cc118.vbs

MD5 e282d2ed3a64f63fd1cf28cca5fc00d2
SHA1 f9f9fea3051f18a9ce2d57143cc0a24f2defd082
SHA256 8daee1c947167d76b8dc48cbf61f16910eeb32286f84403a11cc5b242e48d5ff
SHA512 ced76dea7d8f657fd185a5aa264483e5c69d2c466e5223c664bd15edd912a505f62821e0fa13c5281d8b89bae73cb6224241ab17f8045fcbef27dadfa303b538

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 22:17

Reported

2024-07-21 22:20

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\", \"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\", \"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\", \"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\smss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ShellExperiences\\System.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Downloads\\smss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\smss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Downloads\\smss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\smss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ShellExperiences\\System.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Windows\SysWOW64\AppLocker\eddb19405b7ce1 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\smss.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\69ddcba757bf72 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\ea1d8f6d871115 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellExperiences\System.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Windows\ShellExperiences\27d1bcfc3c54e0 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2008 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2008 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 4620 wrote to memory of 1996 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1996 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1996 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 1996 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 3412 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe
PID 3412 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe
PID 4152 wrote to memory of 3248 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 3248 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 1992 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 1992 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\System32\WScript.exe
PID 4152 wrote to memory of 2484 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 2484 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 1632 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 1632 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 1664 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 1664 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 400 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 400 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 772 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 772 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4840 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4840 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 3940 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 3940 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 2228 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 2228 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 1632 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 4152 wrote to memory of 3060 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 3060 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4972 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4972 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 2580 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 2580 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 400 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 772 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 772 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 4152 wrote to memory of 916 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 916 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2484 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 4152 wrote to memory of 4724 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4724 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4156 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 4156 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2580 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2228 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2228 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3940 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3940 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 4152 wrote to memory of 1420 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 1420 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 456 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 456 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3060 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 4152 wrote to memory of 712 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 712 N/A C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe

"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe

"C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e504b270-d752-417e-ba5b-c827ec2e8b2d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6666fe6-b4a5-4216-a5fe-39494f39044c.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 139.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 a1008986.xsph.ru udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp

Files

C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe

MD5 2febca5513bbb1d2fb14b29bd4998314
SHA1 5fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256 d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA512 60a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c

C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat

MD5 6c77726beb17fe13c44cbc3312d1ca54
SHA1 919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256 e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA512 5089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

MD5 f1ca585436d62720be1c8d7f24fb773f
SHA1 3687e578f150e45aa5194f9c485b221459f0f454
SHA256 dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA512 9e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc

memory/3412-12-0x00007FFB87953000-0x00007FFB87955000-memory.dmp

memory/3412-13-0x0000000000780000-0x00000000008F0000-memory.dmp

memory/3412-14-0x00000000029F0000-0x00000000029FE000-memory.dmp

memory/3412-15-0x0000000002A00000-0x0000000002A1C000-memory.dmp

memory/3412-19-0x0000000002A50000-0x0000000002A58000-memory.dmp

memory/3412-18-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/3412-21-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

memory/3412-20-0x0000000002A60000-0x0000000002A68000-memory.dmp

memory/3412-17-0x0000000002A20000-0x0000000002A28000-memory.dmp

memory/3412-16-0x0000000002B80000-0x0000000002BD0000-memory.dmp

memory/3412-22-0x0000000002BE0000-0x0000000002BEA000-memory.dmp

memory/3412-23-0x0000000002BF0000-0x0000000002BFC000-memory.dmp

memory/3412-24-0x0000000002C00000-0x0000000002C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e504b270-d752-417e-ba5b-c827ec2e8b2d.vbs

MD5 5d9c8ba8248d4dedddde9c3aac8ff923
SHA1 7791a191b3eccf9a94a26a1f545a2e2248552d42
SHA256 32937131fac7b9a939a10e5afd556595c9c4c66c5ef1d730bb542e37fc447f86
SHA512 e6efec5651d745beb1ac573ce86c48904be2e1ee68c8bf079569c33567182278fd8dda2eb22165180ca48ccaeb6549d24bec69cabb1b1adbd6c5fc60748f5d3f

C:\Users\Admin\AppData\Local\Temp\d6666fe6-b4a5-4216-a5fe-39494f39044c.vbs

MD5 d31f9e76571928bc388359489b9e3826
SHA1 31a159496c595c9c909765219d782e0c4993430d
SHA256 4a3aa25d2517f55852055bfa9840e7e54c89d91c46ef44c2fc3cf4fd8d4daf11
SHA512 672e32aac11a989f2dd7a09390d9f9475af3e9993a57787545c325a30c4e917a9f9c97e6ee82b6b85953b5bb6a780f9e5a48b533ca57118e846cb96338bdefcc

memory/4152-59-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

memory/4152-60-0x0000000000E40000-0x0000000000E8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

MD5 2020ae7235e4ca2d098b2a6acfd6a923
SHA1 b390363f25cf5539bbaefffe4805893a3fd4f016
SHA256 caec56565830252605e355886227771736c3d40808a423e97f93a2dcb632a34e
SHA512 13a3b1ebec1f09d0eee9866e8c403c66a29fb530b0c9056246d623e495fac915b5868471b51d95c869636eded94b6115d234a645971d27e7b14eeeda5ecbf9fa