Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-3t8leawdlk
Target ОКУРАТНО.exe
SHA256 94bd0998c7505445e3f74a8d902e4e768adc6304e0135075d0d856eae7c37ab1
Tags
dcrat evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94bd0998c7505445e3f74a8d902e4e768adc6304e0135075d0d856eae7c37ab1

Threat Level: Known bad

The file ОКУРАТНО.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer persistence rat trojan

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

Modifies WinLogon for persistence

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 23:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 23:49

Reported

2024-07-22 23:52

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\7-Zip\7a0fd90576e088 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\", \"C:\\Windows\\tracing\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\", \"C:\\Windows\\tracing\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\", \"C:\\Windows\\tracing\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\tracing\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Desktop\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\tracing\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Desktop\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\7-Zip\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Sidebar\\sihost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\WindowsRE\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\sihost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File opened for modification C:\Program Files\7-Zip\explorer.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\7a8b3f7b9ee9a7 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\5b884080fd4f94 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\66fc9ff0ee96c2 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\7-Zip\explorer.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\7-Zip\7a0fd90576e088 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\WaaSMedicAgent.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Windows\tracing\c82b8037eab33d C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell\open\command C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347 C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\DefaultIcon C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\shell\open C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\URL Protocol C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 3736 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 3736 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 3736 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 3736 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 1204 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2624 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2624 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 1396 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 2688 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 1292 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe
PID 1292 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe
PID 3336 wrote to memory of 4664 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 3336 wrote to memory of 4664 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 3336 wrote to memory of 5040 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 3336 wrote to memory of 5040 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 4664 wrote to memory of 1852 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe
PID 4664 wrote to memory of 1852 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe
PID 1852 wrote to memory of 668 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 1852 wrote to memory of 668 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 1852 wrote to memory of 4720 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 1852 wrote to memory of 4720 N/A C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe C:\Windows\System32\WScript.exe
PID 1204 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1204 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 4704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 4704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2836 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2836 wrote to memory of 4612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4944 wrote to memory of 716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe

"C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe"

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe

"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\CrackLauncher.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\CrackLauncher.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\CrackLauncher.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\CrackLauncher.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\094b527f-5d0f-41b7-9486-4243c02494c7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcc912dc-efe5-4edf-a025-2cb2a9e36a48.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8109e7f3-5c87-446a-92b5-d6daf6f4ef28.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b21812e-1b81-4ce6-8d89-11091d42f095.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/SDxDej44bY

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90d5546f8,0x7ff90d554708,0x7ff90d554718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/sk3d_club

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff90d5546f8,0x7ff90d554708,0x7ff90d554718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14240757729148080218,1022807100950769410,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14240757729148080218,1022807100950769410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12992023280257848022,17646939535971836394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a00419e0-caa7-4665-be15-309076d59d38.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0af3d330-4a8d-4780-9fad-da2fe70c23fc.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b50e0ce-f352-4061-bdf0-edfe3ce957b1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\389c61c7-dd41-4a98-834c-7ca749b3f86b.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a44d63-064b-430c-84b0-7de77a94f036.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1436ff0-1b6f-45c7-b4b6-345efa84879e.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32b6013e-5a51-4d69-a45d-9302721bb3ca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d677e6-ec59-4590-8ee8-44cf4b3ecd8a.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c286f5ed-a3a6-4e03-b077-15bc52a4c172.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f4e98de-bc38-4198-9bca-1ca5964ee849.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d5fa3e1-d27b-4a6d-b60d-6b44f6892750.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b2fe7b-09cc-4e81-9b26-776240937476.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d281f2-dc2d-4ea7-ba8d-b7308c6e97b5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0799878b-ae25-4c51-a3d1-4ba225c23ef0.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e5a249-66ac-48ce-8cdf-0ac071b61759.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\752ddcb7-f088-4161-a8e5-ec0907154059.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c2f67a6-93cf-4d58-a065-471e29104847.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac602450-47af-4617-b78f-b516a07c0576.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a984a861-15b5-4e28-ab1c-3d0f7b93d84a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f495cc43-755e-4edd-987c-9ad41ac167b9.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f279707-4164-498a-bca3-fe719c612dd6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d31783a-1f46-436a-b6e4-9bbbd31b39fc.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6594f0c-c27e-4dca-b9f8-236d5dd50918.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18e09da9-21b3-4cb0-97ed-f8fad841626b.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f6415f1-521c-4f4c-b5fc-6beed88cf1fd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e680a61-0f34-4bff-8aac-19113cf69a9c.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e5f140-b73e-40ec-ac5c-7c16e79d2b65.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e539fab4-8fa0-408f-88c9-e4077f5f5ba3.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc76acfa-7a30-42f6-8513-5cf33ef5cb23.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0900029-1a6f-4bf3-9f22-9b382f321d5a.vbs"

C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe

"C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\577a0707-2ed0-4256-a80c-f8e56b682ff7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30cb9fef-89a3-41bd-835a-d6443da98827.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 a1008986.xsph.ru udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 discord.gg udp
US 8.8.8.8:53 t.me udp
US 162.159.130.234:443 discord.gg tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn4.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 162.159.136.232:443 discord.com tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 152.35.111.34.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 52.111.227.13:443 tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe

MD5 9c49f8ab036331a19ab63f9aff82db38
SHA1 a27f11d48f1428b8efb5384f779f355271cc8877
SHA256 c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
SHA512 2a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 c137c5f5287d73a94d55bc18df238303
SHA1 95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256 d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512 ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

memory/3736-14-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe

MD5 2febca5513bbb1d2fb14b29bd4998314
SHA1 5fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256 d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA512 60a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c

C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat

MD5 6c77726beb17fe13c44cbc3312d1ca54
SHA1 919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256 e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA512 5089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

MD5 f1ca585436d62720be1c8d7f24fb773f
SHA1 3687e578f150e45aa5194f9c485b221459f0f454
SHA256 dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA512 9e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc

memory/1292-29-0x0000000000420000-0x0000000000590000-memory.dmp

memory/1292-30-0x0000000000D50000-0x0000000000D5E000-memory.dmp

memory/1292-31-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

memory/1292-32-0x000000001B750000-0x000000001B7A0000-memory.dmp

memory/1292-33-0x0000000000D60000-0x0000000000D68000-memory.dmp

memory/1292-34-0x0000000000E10000-0x0000000000E26000-memory.dmp

memory/1292-35-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

memory/1292-36-0x000000001B210000-0x000000001B218000-memory.dmp

memory/1292-37-0x000000001B200000-0x000000001B210000-memory.dmp

memory/1292-38-0x000000001B220000-0x000000001B22A000-memory.dmp

memory/1292-39-0x000000001B230000-0x000000001B23C000-memory.dmp

memory/1292-40-0x000000001B7A0000-0x000000001B7AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\094b527f-5d0f-41b7-9486-4243c02494c7.vbs

MD5 0d175e104c7020ad74d43e0b458b13b9
SHA1 0d9c402666caef1851ea2542fae7864df503150b
SHA256 05d0c70bfb7c17bbebcfc9edcf843ea2f18479fb5ad4d1e98e2075a104648cdc
SHA512 ff177b6384742c1df7ffd338af93357290069421ae4d2be65df91bc3051df24718fa20cef2396a2b57322a877401271ba6765a16f69fe91b931a20ddc9d796ba

C:\Users\Admin\AppData\Local\Temp\dcc912dc-efe5-4edf-a025-2cb2a9e36a48.vbs

MD5 4762bdb1382dc19c0a833a87b1e8ba5e
SHA1 569605c96c22c58738da45420908bf8b53b4f4d1
SHA256 89723100ff107034b4048265beaf47d29d2c1e34b942039bbb72bcb188186431
SHA512 b56f9be97644019cb2d9f50ba7d02c1ac39862673c82b71bfb605a05b3ab7cdb4a205ce3e3fc43c4933bdbef948326c356f5732d397927345a4e00d5e99917e1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\8109e7f3-5c87-446a-92b5-d6daf6f4ef28.vbs

MD5 1998c0d24c60f6a579f60ea9acd4bb50
SHA1 be002a1824b313a0a2549178853809057b930d0b
SHA256 ae083c96e8f3fe3d51d3def2135143eb4283905a53314b24096047827af1edff
SHA512 cd46a462b021055928641e7402626af0b82e35ea439c07a8c7338b0c252ef8efffbc67f4e663cca059cfab83f4efdfb988c03e4f7ffddb43ed6ced3c7aaec359

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b28ef7d9f6d74f055cc49876767c886c
SHA1 d6b3267f36c340979f8fc3e012fdd02c468740bf
SHA256 fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37
SHA512 491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 584971c8ba88c824fd51a05dddb45a98
SHA1 b7c9489b4427652a9cdd754d1c1b6ac4034be421
SHA256 e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307
SHA512 5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

\??\pipe\LOCAL\crashpad_4944_DORQDATILFMHJJTW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ad393b64aa1fc18bf11397a7dee86dbc
SHA1 c317fb5153dc4820684cb08505fd4b933c5d0e47
SHA256 753a56500b8cb327735610226de661927c9f61cd8ecdf5e8a8528e6263e28997
SHA512 c98f8366db9dce0683d2179f58eb6f42b114be0c5c81ecd739d3a7a6915f512e998f7a8de3e7e8c2d5ce1d1f7d50889acba3e8c057d910410e564428ce51d0a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 94299eb6adaa0e6bd8caf7174a0acf9e
SHA1 1074fd9e04327cf71a17abd9d43e87941d124dae
SHA256 9c7b54eb0a6e8793eb9071a9645c0a9148556916dc895a295b1843ff5611db76
SHA512 802e824356f02c689dec9499419652fc63bc9d54b2a6f07b7f0208e2e50ec78aa61c9c0c5ec4c571a2fbbde1ba3bddba3e1bbbf335b6fd4ea9ec8dbabf897a6b

C:\Users\Admin\AppData\Local\Temp\a00419e0-caa7-4665-be15-309076d59d38.vbs

MD5 969410f61cbc803ec328f44f4ca60d75
SHA1 25d5c2393bac72f20137965e9df8fe2340e41fca
SHA256 44ae4be2b6b06545dd2fafa4f7ee845379b13b11e9a36f26fc63ae2a75beb3cf
SHA512 78419baedba13615802d0c2857d1113ff50531a2203ce14142c23008159b8210693137708a4c16f3359be5901a2f232bf3aca144660aa098503f20127fb016fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 12cd6f173a1322e52cc3dc0b5d058405
SHA1 7af0a48047ad8dd7b135dad3c526e7ccc68eea0b
SHA256 57e89cb2a66f7a569a3db6b1863f6f1173aa3fd4bd6a5dca7f3ff5a0786aeb19
SHA512 f1d79ea14ca82bebb1402d7f3f79f54aa4b5b36b1a90101c1da0fbc00f1bf2bb7b201cc5ddad642623fab6a8ab988e1fbe822cb55309cc26a4a04755c257ca7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 02163e9897e751328db8a0f58f28c30e
SHA1 08585252450fed177d552db9443efcfadd0cb070
SHA256 046de3e7837fd0dc4b35faf77541a6f5e900651f17345ab9e2ca8a084da118d2
SHA512 03b2034c8fb991a767cb04aec32817d4d0628ec64ddc34e50ebb22fce6703d2303951f389229cd83289946584c07a18cead23764b2263f6e80bbb9521c0203ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aaf55d493ed6c5ff5906a512fb174f22
SHA1 42fd4644f09c3b6eccfed5dc5867f97664d33073
SHA256 6e5a8e170ff237cd22bc256b01001df81bfefc2ec1f8f26dbf95bbe3c8474bfc
SHA512 7c8f4d0eabebb0386518c883d3c3d34ddd25f6ff67d80a2be90ba604314de1f638540cda3c3dd76a49f530ecadf7e400ae5525e63c0900b5831ef4e14aed9a40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 0d78c00d11690c5b6a913c9a2480505c
SHA1 def440ffcc48f6bd1f4a3f004c1b1ddca11946a7
SHA256 a93adc0980d4d09a01acf1014a527133cc9e72594abd75c4d744a6f22d755050
SHA512 290a1836557fe4a4623cc1283cb2b31c4c415b141126cfa9d61b3675d5ec11c7bf41af94fc62f9365000971e76ff08bc1262fb977a2556c7ea972c497319f618

C:\Users\Admin\AppData\Local\Temp\6b50e0ce-f352-4061-bdf0-edfe3ce957b1.vbs

MD5 8975719adf9eaeee7d680608986e9c6e
SHA1 1491f790a0a9932726a247de12ff5d483818b6a2
SHA256 995422b3ba1387e9cc7e6514ee6d54d5f09d1b72c7acedfd61779e13159d24b2
SHA512 cfe7b501d9d120ef1e98e5848a1577cb491d58d6e17a817ae157235ea0f5af5a555888b1e74856110cf7b1db91d953025b7e47f515799cccbc3ceb4976fec3fa

C:\Users\Admin\AppData\Local\Temp\25a44d63-064b-430c-84b0-7de77a94f036.vbs

MD5 73509bc7df30be31bc2edd7abae6430b
SHA1 b1162049bfc13380a620d7cd9132db53b24f70e2
SHA256 1d93417d4fe87e9b3247616c4a4ce66a7a81f055c2c87469871f5079ace819dd
SHA512 cb476f753aca1c1b484109e7748630c7de61ca88c2a3d09fe33f64d1c55fec4c9714a856869da1404502bc35f041baf754409e7fdf5234c6ae747f3768e8cfd8

C:\Users\Admin\AppData\Local\Temp\32b6013e-5a51-4d69-a45d-9302721bb3ca.vbs

MD5 8cec536b7753ee6bac6f5a85988febae
SHA1 68f9e7891dee620650f30ff8de0c592e599bc6e4
SHA256 401f842b129278128fba24800643bd29affd104e99e36470556b94f626bf24ec
SHA512 c42c94b744afb00fad8f0a1d18126be19b180e030a828f770510e4ddaa8f79cf8bc1dd1d382879fdbd5103301e26c6778f8f67c6a28fc06ba60b6842c01aa24c

C:\Users\Admin\AppData\Local\Temp\c286f5ed-a3a6-4e03-b077-15bc52a4c172.vbs

MD5 6a94e1c5738516fc339c9e99c32e4748
SHA1 f3d3505cded22e1906c5abc79b6c7414721dc34c
SHA256 88c98dc40423c01f4cddaa75d247ec4a591c282d644942ba2bceb9c415828f8e
SHA512 75b9e4fede60f4cea571b0bd0325e2154da30726773a759dff49bb7e78df5ac5acd5189573ffbe09d8a518b7e760de8d48d1952034b498199a4ce61c70dcd52a

C:\Users\Admin\AppData\Local\Temp\2d5fa3e1-d27b-4a6d-b60d-6b44f6892750.vbs

MD5 7dd01e4bbc530c52e2c66f18c6f6bb5b
SHA1 78c3fc0e36b94e68f34863b9961d6a4dbef3b56f
SHA256 1f2a8124db0f93a329fa9610dbe9a29b92212ec823d86dc1304ac8da2d022347
SHA512 3b9dedd95ed8d2dc969cc51a1f4c10c01b08517b497d777e7ac1d5ea05a2eccf36ab391c114f4c9ab42e40c97dea12c718feb9b7caedf03300c4dc10fd16f2a0

C:\Users\Admin\AppData\Local\Temp\07d281f2-dc2d-4ea7-ba8d-b7308c6e97b5.vbs

MD5 388d53e0ccf7aae8e7be08c4714e2942
SHA1 ab43c14d581c507c85b8d13d5748ab44f8ccd2a1
SHA256 11f9a34fd305b43a0a32650a77b674053e2dd5465e315efb960b3b5735b97609
SHA512 8d556b56355bc340ced88cf075378f3bfe2b5fed164dbc777c6c1afccb3ce373ef7fc1711069ac3e564845dde3590016cadf96d3b5e817d240a5b5169ea39123

C:\Users\Admin\AppData\Local\Temp\f0e5a249-66ac-48ce-8cdf-0ac071b61759.vbs

MD5 2cae103a5e17b06237da28768185bd83
SHA1 ff7fb761c8a275a9066f5da441590c0a59f46be0
SHA256 f71d15af1390843f34278a22c9bfc595f994f9ab56d2b1c891e898cebcc56907
SHA512 4c7736985d5935ac9e277915ffed91acd614896c75489a0560b9b63468fb81ffeb93a1cdf4eabe70277393a8c0c15d24ed9c182afde91f851ee92577c73c0909

memory/5656-368-0x000000001D840000-0x000000001D942000-memory.dmp

memory/5588-376-0x000000001D960000-0x000000001DA62000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 23:49

Reported

2024-07-22 23:52

Platform

win7-20240704-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\14.0\Common C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\AppData\\Roaming\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\AppData\\Roaming\\CrackLauncher.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\server\\Hypercommon.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Users\\Default\\AppData\\Roaming\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hypercommon = "\"C:\\Program Files\\Java\\jre7\\bin\\server\\Hypercommon.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hypercommon = "\"C:\\Program Files\\Java\\jre7\\bin\\server\\Hypercommon.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Users\\Default\\AppData\\Roaming\\CrackLauncher.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Java\jre7\bin\server\3fc602c7e77519 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{297A93A1-4885-11EF-B3C2-F67F0CB12BFA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000ab6226309accfe0059edfa14a5be0c42e4df6e9596d21f6fa5befa03d98c0b63000000000e8000000002000020000000ddd42f538e855e8aee4f7c422614c7824bf4f80cd0a730d64eecab67ee3c2ac3200000004539ee79a438fb83457a71d41a3dced2336bf510507fcbd8567adb5212512fc74000000013c9edb5ee6c1402f78c25e9a7b6ab9ade752c8704eb25efe92b339dd755700e546ca6c87f92b96ef4565b02e09fe2073d0f6220a3a5dc1741dbe41c98cc3ed4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427854092" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000001ce677276cbbe397e1c2390e336466cdeceefdc674589004564c97b6bb4462ae000000000e8000000002000020000000d3b6a2d0314b04e117a297142252622bf62ec93a532c0ec8e75b6c2e77c5a26e90000000da8665f9627bf60736e141b09d265036ad530a0d37823746188dd4f304219da0e597cf534c16193a8621e45ec663e5f373e7c32c926d8869ee92372e31f9b0b36f13425828a79de45c8ffbb25eaec5fa503ca3c76e55acb8fb0adb1f9b9ab81c476cf52ada0523d698b624b211a577b948f65dabe50b02053f167619b2844b77535c8a805f21ab02d82a76d77f2b3d3f40000000543ffb509e989d8d8e77605da354bf32be949432bbeaf3e84aaee601fc0ea3daef00a02442c7ca2e4cbc9da00c9ee778513b7ca57d24ae6f8f3049dd07edde5c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29783241-4885-11EF-B3C2-F67F0CB12BFA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ebf7fe91dcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347 C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\URL Protocol C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\DefaultIcon C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open\command C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 2520 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 2520 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 2520 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
PID 2520 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2520 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2520 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2520 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2008 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2376 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2376 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2376 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 3048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 3048 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 3048 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 3048 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 2864 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 2864 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 2864 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 1460 wrote to memory of 2952 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 2952 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 2952 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 880 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 880 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 880 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 2952 wrote to memory of 3004 N/A C:\Windows\System32\WScript.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 2952 wrote to memory of 3004 N/A C:\Windows\System32\WScript.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 2952 wrote to memory of 3004 N/A C:\Windows\System32\WScript.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 3004 wrote to memory of 1732 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 1732 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 1732 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 672 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 672 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 672 N/A C:\Program Files\Java\jre7\bin\server\Hypercommon.exe C:\Windows\System32\WScript.exe
PID 2008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\WerFault.exe
PID 2008 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\WerFault.exe
PID 2008 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\WerFault.exe
PID 1764 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1764 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1764 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1764 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2924 N/A C:\Windows\System32\WScript.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 1732 wrote to memory of 2924 N/A C:\Windows\System32\WScript.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe
PID 1732 wrote to memory of 2924 N/A C:\Windows\System32\WScript.exe C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jre7\bin\server\Hypercommon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe

"C:\Users\Admin\AppData\Local\Temp\ОКУРАТНО.exe"

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe

"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\CrackLauncher.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\CrackLauncher.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\CrackLauncher.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\server\Hypercommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Hypercommon" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\server\Hypercommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\server\Hypercommon.exe'" /rl HIGHEST /f

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b12884c-109d-49b2-9dd0-9d796c1dd2df.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d36311-f268-4a51-85da-627b8bc9d630.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccfac8f4-fdd2-427d-abe0-13022f813aa9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe8f69ee-2493-4ab5-8881-335562d47fa3.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/SDxDej44bY

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/sk3d_club

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2008 -s 176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32cbcb2-61e3-4939-981e-b6a165edcbd8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8a47cf5-3bcc-4d96-ab5d-e4ac796abbe7.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544c7a5b-3eb2-4414-8e09-b75ad377cc73.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e30d06-3ce1-4758-9d2c-54c848a07967.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f7c68cb-7ba4-4ad9-8ea1-bb4d9ecc9be6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f53bf21-a855-4ab8-bb1f-76f1fb682578.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\583c18e1-3a21-46df-abb7-3f1e4d282169.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45b68361-4586-49ec-a0af-0d9cd2e984c4.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7dae6f4-ac99-44b2-9390-887a9cd444c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6216964-8fff-4dcb-92d1-02d792c53b3d.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\251ff235-0606-4ebb-a561-8852fd87fe6d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b975e87c-607c-4131-b20e-f26ef3e29c9c.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e3269c0-a56b-48be-9036-d417aa6c252c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f3ff2c8-01b1-430f-b8ad-18bf6e8ddb58.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3dd3e34-ebb3-4d57-8aeb-d21f1e537174.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d92a5997-fd74-448a-9e7c-f08efc464225.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24b99e0-7744-4242-9216-143d445dfa1b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52bceaff-118d-4377-bb78-d975eda2011b.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a6ac9a3-d1c1-45f5-a068-e9fedb541b73.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\309bfd41-01a4-4761-90e6-f2ce54c9abe3.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0511bb84-b738-4431-94b0-cfe004ee17e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85f18222-83b4-4206-b2ba-08c043f6911f.vbs"

C:\Program Files\Java\jre7\bin\server\Hypercommon.exe

"C:\Program Files\Java\jre7\bin\server\Hypercommon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1299d216-afd3-418e-8997-c68b86dcb921.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\779789b8-117b-4aec-8c90-ee10dd39d987.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1008986.xsph.ru udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 discord.gg udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 162.159.130.234:443 discord.gg tcp
US 162.159.130.234:443 discord.gg tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp

Files

\Users\Admin\AppData\Local\Temp\NursultanCrack.exe

MD5 9c49f8ab036331a19ab63f9aff82db38
SHA1 a27f11d48f1428b8efb5384f779f355271cc8877
SHA256 c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
SHA512 2a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd

\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 c137c5f5287d73a94d55bc18df238303
SHA1 95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256 d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512 ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

memory/2520-12-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe

MD5 2febca5513bbb1d2fb14b29bd4998314
SHA1 5fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256 d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA512 60a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c

C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat

MD5 6c77726beb17fe13c44cbc3312d1ca54
SHA1 919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256 e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA512 5089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

MD5 f1ca585436d62720be1c8d7f24fb773f
SHA1 3687e578f150e45aa5194f9c485b221459f0f454
SHA256 dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA512 9e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc

memory/2864-27-0x00000000011A0000-0x0000000001310000-memory.dmp

memory/2864-28-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/2864-29-0x00000000004E0000-0x00000000004FC000-memory.dmp

memory/2864-30-0x0000000000350000-0x0000000000358000-memory.dmp

memory/2864-31-0x0000000000500000-0x0000000000516000-memory.dmp

memory/2864-32-0x0000000000520000-0x0000000000528000-memory.dmp

memory/2864-33-0x00000000005B0000-0x00000000005B8000-memory.dmp

memory/2864-34-0x0000000000C60000-0x0000000000C70000-memory.dmp

memory/2864-35-0x0000000000720000-0x000000000072A000-memory.dmp

memory/2864-36-0x0000000000C70000-0x0000000000C7C000-memory.dmp

memory/2864-37-0x0000000000C80000-0x0000000000C8A000-memory.dmp

memory/1460-48-0x0000000000C80000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5b12884c-109d-49b2-9dd0-9d796c1dd2df.vbs

MD5 bfe492a3338436cedbfba323b3731834
SHA1 678fa5063395154b13e4cbceb1a5e9a8d1712d6d
SHA256 86c0c1b747fb4e5b4ad6b2fcdea4f5c188d8b3ea6f4a7b36292e834922e34694
SHA512 987bd648836ac0c3c2de5b138ffc8e76b7fdeafd6ceb03d25da272d9b7c9b8ff34a10412e3cdccb5486c68c0d27f8645f11c229c63a2c7a16d02bb216146f156

C:\Users\Admin\AppData\Local\Temp\c3d36311-f268-4a51-85da-627b8bc9d630.vbs

MD5 b26503774d28c2aa0b86f4dbcf1cce10
SHA1 5b14760e09c9bf984dc12c3b1d4e2670a123a4d1
SHA256 aeaef723c2d2de775dbbf4d536ca5ef53dfc833eb03a8bd43d8c1d688fd99c36
SHA512 4343053f194c10d3df85cdb6e59a5e475fb67ebcbbf4c3b88f413f16eb9a11b89859b24672048c5ce45934841b31f519fa8c24c78845ccdb5fca1502ae310f8d

memory/3004-59-0x0000000000D60000-0x0000000000ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ccfac8f4-fdd2-427d-abe0-13022f813aa9.vbs

MD5 67775fcb766e637a4a539587f0fd6088
SHA1 6bb02cd85c76c3cf70995be98a15dd0a51e621d7
SHA256 6fdfdb300decfa5c5b30387d981df5830c8286ec45b5347d3a283d592eb9d8eb
SHA512 45fd287dc49059234c9be1657e402bcd80bb1845bcdad0799ba73499d3de7b67442e9d9d4e2d93847c05c3e74e2dec00959856cb7ab1fdcf21df6b21caf4ae3a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{297A93A1-4885-11EF-B3C2-F67F0CB12BFA}.dat

MD5 72b7dd6a724d0d2743688a7161b11ee3
SHA1 9ac14d9c14ac4d96079542dd6488a0dd420f76c5
SHA256 d3519f3d174e5cadf4a2af0ca319c5f96dae72e39aaca76faecd06957c32d8b4
SHA512 4245af4dbe5f1f4d9451dd7469e1901397ba5df1d185a337e446761c68194b303cf47deb75c49259ba24fe8f6006b66c9a2130dd5418d30326b40cf7df548a96

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{29783241-4885-11EF-B3C2-F67F0CB12BFA}.dat

MD5 a9edcbdbf8d91ca18e542c4de5e997ef
SHA1 00fb2b7acf1458381594fb132954fedfc2e568a5
SHA256 ba1e8c0d9ef052a3f9a4ceabf708a7188babdaaea60c8fb7f93e4c477886e84b
SHA512 3dcbaf6d09837ff1f30204ff8f517ad4bafae9bb5ac5a30496d63a635429d1ad1de7d1b429bd59f62aea5b272b910dfc3d00b4bd500a6a05d7396fa034c48273

C:\Users\Admin\AppData\Local\Temp\Cab4F6A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar5057.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62c32526f7232bd74273e98023797916
SHA1 5072516c95532e8e394d66751447ecd427a755fd
SHA256 00bc98e9df4e3145e217c1143ab15a441cd8bd533d02431095ca4dbc39d3d095
SHA512 0f237b091e9d48eab4555a12dafdac938e02882556458825e20830b8e9c203eb4836ebda158e65cfc76168f2daf3f1ead82e6c39855616d384c9a2176dfdb8cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45ca0e13e2f73bff6a6d8c48f7d837c4
SHA1 1764c1d743f9c28479e4e2510cc972fe298e87d0
SHA256 e196ec0df45a17403a90a87924f88fcd30bb2c809dfc1e2d51f4d12e14be402e
SHA512 99ae193ade4f97c7b373ba12e867be938e6e518b9f069537307ebaf7688445fcc374435512335e8fb6f017e43810890f4f1ba280dd22206c020457649c86e7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\favicon[2].ico

MD5 ec2c34cadd4b5f4594415127380a85e6
SHA1 e7e129270da0153510ef04a148d08702b980b679
SHA256 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512 c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ljg9kkp\imagestore.dat

MD5 9363161d235c8cfb64c5927702e7e3de
SHA1 747713e60388d600cfa867805f4056fd029ba5f6
SHA256 0c7ea47c3e09cdb247ea688f872854ec8f4a932d1f736a723861812dfe0ecc7a
SHA512 7f5c6ff9d902e962c89edbbb78bc2918ebe450ebe9348a72f46c1d1e857bdde70b19b802bfae55f58909900d99ba451d4e75a712bf90eb118ba990ffa8531478

memory/2924-195-0x00000000012A0000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f124a00e9b10e3082e43b26c1abee09f
SHA1 d69a5c41ccfb96956ba223ed2312f7613cf42bf1
SHA256 1265c5408ca93c3542c3620d37e9b11deade97bb7107b69b48ec88b8e7aadb93
SHA512 ffa2c187aadd661c4450d03c9ce16206abb7301b28acad4eb3148269650652acad73493d2296375c530507f6ac801f123378ba84ede759cbd4b32c1dcd84c33f

C:\Users\Admin\AppData\Local\Temp\a32cbcb2-61e3-4939-981e-b6a165edcbd8.vbs

MD5 03446b59636121f4ec1cd6e5a2a93815
SHA1 5ff58bc501c78322bee9379fbd1236e41313c86b
SHA256 f59b04d6f86dc478b5f212b0916512ce751066742001173e71f5003759eb281e
SHA512 c7c2e5ea990e5410cba6fd3f9d5e34fdcac43b0edbdbc2c5c3a7c3fa1933edd2c697e9ba42fd17283caa49a8a3214f77ed536c16ebf203061ea205410fae765b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdcd4e74faae6571c88f215d7a0aa357
SHA1 17e4d600e094744522ef2e6fabe3dfdce1cec429
SHA256 8cbc7eb86097df21d4f8de6990d26b6386c20e58c46e87c631f005c5fc16c093
SHA512 f462db499c0cb9a56ca659e1983e1efe9d5a64482e9644d891414fa1d516264770594cc94b949f12e51f06094eb2ff7c7c57be34ea4329a522f59f787a97388f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4bc92ec5d906bbe4a23639ebe6c46a8
SHA1 a5996284cd2320a2325a2da0d7c2320d1865a6d5
SHA256 4017017c4a59a14dac42ca2dae015ac82f695a655f2c7a3b1a62fbba89e4f878
SHA512 a54f169cf13db2b0a99bbfd38cd0d033179721b46105331539b423757e4c698f49b56a6de4415e507647f331b7923902cf8a4e6e2e2335c4170994c0e7c8594a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd2708a79ed79345527e95f0505730ae
SHA1 181566611d46e9b7b1006f772bbfbcf139034f36
SHA256 559ac7adf3bf1e121cb80811a78cbf9095c142ed9044eff36936b318c23af999
SHA512 722c44115ce0dabb0e0bba90b25fb1a221822bf1fb6c7539fee875400cf9b5feaee02f0dbe6700379ffe6107c227381e4eeb561fa720de036de4b63a01cab416

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79adb5e50348595c7af2cb36a0679c0b
SHA1 0b6a9224a6268cbabdd91bef27609ffa4a06b60b
SHA256 8b46804b44eb69bbbc78156c09630d3af7f37939dbff19be3101f52b923e0e7a
SHA512 46abbbc11215a793c73aa5be9471830389a03147f23c54784890bf911e4342e93d6bc17535f6c6144b0bc1e2847b4d2dbeed1da0d626c8164a81745040f4bcfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78aa33e8798113295649f007fd60c195
SHA1 b7108880e1cc46cab9e6d6e4db83df64d6f236f5
SHA256 bc65fe0d2df681f04b172ddbd3317869115d3bf8e6a87292f52a4b11ec15c05e
SHA512 88c351d663d1c1e2c73bae513628697d7b2c44fd9715acf7230e64f5cbcaf178d6338ef9226b3bc4d099e5cc76ab4569c7274db9b05befcbb27af246a30cfbfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92434424457b84725ceea97e9d23c38e
SHA1 d8a4c207a950ee6b77ec862b857ae23ca3863be9
SHA256 d1273fc08a51ed00d5f7568902c3a1ea8030334467a933cb6386de1b14d41756
SHA512 1d8bda904ec6ddeb7d8cd8c4f394fdbabc236cf56ec9a487d0bed8a8fdf0950632e6cb9976493261e0420550e03a24c91fc45d1a022a9edc62dc4b398eb3ea65

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{29783244-4885-11EF-B3C2-F67F0CB12BFA}.dat

MD5 01504e8700545067d78926a7612ad5b6
SHA1 3ac3853ec26d37bb712d7db9f46e65f23f60209e
SHA256 4078252a11f05b74161eec587c6be6cd88dcf42ae43638734bcc218505be4f4a
SHA512 730c11d74d29aba3963f19878a4113d79c92655444f7cdb43bc81b289f631c8f7b7a1cdbcdb9973c0c79d0413e3c67a67d2f47afcf9dd0ac9b9deebc03b5a37b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{E18CB270-3A25-11EF-B202-D685E2345D05}.dat

MD5 9cb50f0c0618e0266a9dcc58b6253f31
SHA1 803a2d4e19822e8982b424de5c41c252d5e8de7c
SHA256 d6c554ea2cfa6c22b9317ddfbeb39176062c1654c828d05485cfbd49bbc7b8ab
SHA512 b1e39df28643023da8ce65df8215745f87cd69384979947e322806e4471984c661e7a7010cd8687734f3a3508490ec8a873f835bfbc974980defaf684eb890d2

C:\Users\Admin\AppData\Local\Temp\~DFFF5B26AEACE34E5C.TMP

MD5 a42138cb0499194f85b44cf68cb5d99c
SHA1 3385dd08c6bb2bba88694607d47bebb55bfdd34d
SHA256 56629f594decc3997563d223d53b97ee9a8c2251e1399ffe8f00ccea2b6000c5
SHA512 c5dcfde271879d55cc10a79cdb0f3903cb87db1aaebcfdcb307f1a33ceb0b83e0f2ffd3fa5660fb5918e4f2b89ebc1a313e755b68ff262c234389bf6a12424e7

C:\Users\Admin\AppData\Local\Temp\544c7a5b-3eb2-4414-8e09-b75ad377cc73.vbs

MD5 2f9035222f20d7427a066e7d544951c3
SHA1 ad30b75cd4f33b99c8da8000629038dafbe5f9e4
SHA256 f4d22ccc5a6a5fc9f85caa4bdf87c278ccc64fda0bceda177b3a4983b1dca515
SHA512 67375b3a2529eb625b9d4cb3f434b188655acde5f68ed35d6001ac09b1409e5417c38f80259a1bd7d1dac0ebce83f0ec4d0b3b22ae2f4d51645270bdb5f50556

C:\Users\Admin\AppData\Local\Temp\8f7c68cb-7ba4-4ad9-8ea1-bb4d9ecc9be6.vbs

MD5 44839abcc744ce44af93da7310313bf9
SHA1 61664fa3aa7dbf430c479cc494bee8facceb7e6a
SHA256 25b28c4460d564ef3aa9418a7f9e66b7e82f8564c60fcd3b4c892cfc492a3b6b
SHA512 ed0709c20c25b05e5296d303c003874af37b853c178bfec7ba54cdaa7dc6735f2fdc35b31b3c8a43cd38dab31366e73a5778bd1aeff35a60a2c2da3a3b92be79

memory/2616-684-0x0000000000130000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\583c18e1-3a21-46df-abb7-3f1e4d282169.vbs

MD5 37d613e7a0b0f96c7d3a669cc019a7b0
SHA1 160975ecd4a864b9cdbf8150741cf42ff949dde7
SHA256 0deb7242eb97e8f2387cbb736a4203d2d62b9e820aea13689e00a16e9835cc8d
SHA512 e6d363897e2edbbf784981dd32d91dcce74b023cd776d7b0ff9df9dfe09b7a99ade41c298474a0d6fe1ff232eac254013e465e9c36429fcc9c7e18bd0bd1fa60

C:\Users\Admin\AppData\Local\Temp\a7dae6f4-ac99-44b2-9390-887a9cd444c9.vbs

MD5 e3dbcab1d59581c91bec064267143400
SHA1 35712850f65786235c887fec99a09ed2c3c728da
SHA256 b58dd056a034f5a2e782f116f4180db344779b7bcb51616875514f54a02a8933
SHA512 1671f018eccf08e0f2b4c3d92f3b1bbff218a5cf1eb20d2f300da9c6981c8d1c7f2e4d2ffa908c1597deaaaa388ec55c326db2f4e61a9c40208e0fb80eb979f8

memory/1992-707-0x0000000000110000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\251ff235-0606-4ebb-a561-8852fd87fe6d.vbs

MD5 68894100d34742e05a8d4e08d418911b
SHA1 001c033e2a527e9161cd1d28012e3b6ce75aab95
SHA256 f859e70e5343a8ea887bde2e7e9d12e3c5adbe1ff0844786d9bad16a816fc49d
SHA512 25093536baf346875007e6d83830364cb9f3a35fd49b6efea3ebbfaef6c6d544e85fa13083e73536db51ba251182638d976c0f07927d34baba30cc2f8ad2d04c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fd950a1fd8ccf206771db963719e279
SHA1 7514c41a6e13861dc689f1bc5c821498a2a7fd07
SHA256 361e1b241b57875759aa5941394b187727cacfe7263acb4c0206005da2aec871
SHA512 6d6323d3b1916f30783fa7752ba8abb02327452edc3cf1dc896c7263f35b6485fe55dc76f467f4f195c9c688684b5505f28533329d4dd1c120a3aa1e5df5dcf2

memory/2896-734-0x0000000000C60000-0x0000000000DD0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e966dc8730118d8efcd2d09daa5736f3
SHA1 5473484280631cdf6900b7d42d22787503381600
SHA256 70332a016800c4c75b87d2e69a2b89e54b47b6422a741b52d31d5c9a72ceb4b4
SHA512 16101993f9da89787b753b383dfea276e39dc3f9a547196952c52c78199cdcf4c8ce4b8eb60cfe86715c14d478e5aec351df8402f05d6c9252bb3d8e2d45f922

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90592fb14ecfb79c04646411715d1c05
SHA1 5e2b603eefa4a0922b6170593e17e5f086d1fd7f
SHA256 5120a3425ddd6f50b4114fe4a27867ec8e0a334ddf6012aa0f1c82f7270aeef6
SHA512 7b43bfa377e9f36d22da0325f09b621a5c3b6ceeebcc9098d95b2d2bfd0175cb6c25905250784817c859eb174605c2039eda63f6bd7adf2eafcf53d95a6d6575

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56e73b6c0abe5c0357aa11c7f40ee1d7
SHA1 27fe863f62984df869c7b7eee673def20c970988
SHA256 62d8dfff2c133cf60b95ada3cd90dbfc0ed9006872856b24af10093e6ad572b0
SHA512 4cf646dd7c32457453e0f88a5a9433c08893e5838cadd4edae9458a3793c12abd058250ebec31ca680cd51138eda91db0f61d1d878a771ec20a37a85f0dd13c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16609c1b46536bb1e571f3755917078a
SHA1 0f06aa17da66e16c450141659de7c4914a296014
SHA256 d4fc5d8644590517ec822111afef15a35e4d62db7a1c8b45623fd15014013697
SHA512 1ef061ccd8aa31da31a677b03f4321c8d6894b0fe49cba736f95f2802d1b9d6810ccb800a7b96d1000b37d1fea0d77c326c8953f4abaf87e85d6bfe2b8edbe8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85df94b64f02caaba262372083636467
SHA1 c8724831a26c3607cdc444b915093fddf7cc1a46
SHA256 ea4cc17df9754c44cb9024c6ba5cae570eeca7d9973a6ca699f56bdf72e26bf6
SHA512 a32d647f82f4241f9a5dbc9e9759be910c4dd91d4245450a855e60458fce2af9828f1d9fff3684263d2fbb41e1f15721646799a5b4bb89abeb5e3ecc0d030c5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d4b77dd498ba03460fc039c5b6bf4b3
SHA1 cdfacbe1957ca63878ca984cbc840719d74d36af
SHA256 790a7e714d61531e845a13d26711e023843ed717fd90098e7816dad06ee6bc0a
SHA512 7ba334122860782c3e1537b41c01737f70b679a6e4ade91accf96d0f795e0505bf352febbf8963ece7ce6183b1de7235c41744f8067ece24a2111c48ececc75b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 561a1cdc84723e5bd1c3a6bb315e8d2d
SHA1 098ced1440a2826e4f60f51724dad8cf26dadba4
SHA256 cb714e967d859b4d67f5c6c848b5b44557585e2c4e985e94b7038389e44cd4b2
SHA512 908adc1575e14694a708993284eac6ca2c2aa86612229813c463d9dd9bf591b2644e2b6317dc092c417b626fe4ff585c0ca68831db5f5afc40c42c64cdf32ebb

C:\Users\Admin\AppData\Local\Temp\2e3269c0-a56b-48be-9036-d417aa6c252c.vbs

MD5 eedad141d4c4bd668f1950edcf74841e
SHA1 89a8e808ae256e63b3e0850bd5006cf84ce06018
SHA256 f12b6c2e2293769a4eb960623312685e4c741d680aa5b1e2894de8faa4da154c
SHA512 d1c8ca30636f448d2651ebbf25084786b3a7731c26616d85c38f75aefb4d86af7d51341c216b3f1ce60ab51da79a0ef33505fdaf23421d1992525b55ac7a0278

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9b2257309477a8d7630a4ecdaf00319
SHA1 c0e989552d92df0430b54071b19899f480c4f1d8
SHA256 fe6f9cfc263bf7984efa088dfbcea4fe1029d82f98f02dbeab0cbd21592566f6
SHA512 0aed2b9db281ccd81db0c497798ae7886a43ff346c4e30a5c5ba97e105d1c4219eef644132347936f8674c0c209d01a493eb1a08c1d18e3432c415e60d1d2876

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b0d4e5faa6f7bffb75494530f3c8922
SHA1 0a341dc6d119cb69d987f8f0793ea09176b5a5d8
SHA256 651104437e89caa95884af0e71259517038cd09c21d2a51998b4b9bd1122a529
SHA512 329b53465e223df9d91c8bf6c40658733441b87bc946560f227e9ad3a5b35ddfdea2f42fc5f394ed2a52988433d2787bf268f7a65d642b441e6d197d800723fd

memory/2164-1160-0x00000000001E0000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3dd3e34-ebb3-4d57-8aeb-d21f1e537174.vbs

MD5 2ddbee16243124838bdeaa0360699047
SHA1 1fbddcb5540e8624d69ef386806bbfc05d69d7c2
SHA256 aa98f62a6af6d99a0c07f23d10ed4a9dd818c1305cd52ed75d31fb7609367dac
SHA512 97687333f92ae3cb8308a877dae21918a30ffb1f4185e0b961fb84adc2656d2a65a2e64621d6166cc0dc4607c8a742e988ea402e46837c5aa9644d34502e6623

memory/2560-1179-0x0000000000FF0000-0x0000000001160000-memory.dmp

memory/3024-1187-0x00000000003D0000-0x0000000000540000-memory.dmp

memory/1380-1195-0x0000000000910000-0x0000000000A80000-memory.dmp