Malware Analysis Report

2024-12-07 03:21

Sample ID 241112-y7r4cszjfx
Target d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
SHA256 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
Tags
dcrat discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0

Threat Level: Known bad

The file d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0 was found to be: Known bad.

Malicious Activity Summary

dcrat discovery evasion infostealer rat trojan

DCRat payload

DcRat

Process spawned unexpected child process

Dcrat family

UAC bypass

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 20:25

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 20:25

Reported

2024-11-12 20:28

Platform

win7-20240729-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\OSPPSVC.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files (x86)\Adobe\1610b97d3ab4a7 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Windows Journal\es-ES\services.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Windows Journal\es-ES\c5b4cb5e9653cc C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\CRMLog\886983d96e3d3e C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Windows\Registration\CRMLog\csrss.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
PID 2696 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
PID 2824 wrote to memory of 1756 N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe C:\Windows\System32\cmd.exe
PID 2824 wrote to memory of 1756 N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe C:\Windows\System32\cmd.exe
PID 2824 wrote to memory of 1756 N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe C:\Windows\System32\cmd.exe
PID 1756 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1756 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1756 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1756 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Users\Default\conhost.exe
PID 1756 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Users\Default\conhost.exe
PID 1756 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Users\Default\conhost.exe
PID 2796 wrote to memory of 2052 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 2052 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 2052 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 1716 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 1716 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 1716 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2052 wrote to memory of 2348 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2052 wrote to memory of 2348 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2052 wrote to memory of 2348 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2348 wrote to memory of 1872 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2348 wrote to memory of 2720 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2348 wrote to memory of 2720 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2348 wrote to memory of 2720 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1872 wrote to memory of 1972 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 1872 wrote to memory of 1972 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 1872 wrote to memory of 1972 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 1972 wrote to memory of 1376 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1972 wrote to memory of 1376 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1972 wrote to memory of 1376 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1972 wrote to memory of 1120 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1972 wrote to memory of 1120 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1972 wrote to memory of 1120 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 1376 wrote to memory of 2244 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 1376 wrote to memory of 2244 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 1376 wrote to memory of 2244 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2244 wrote to memory of 2772 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2244 wrote to memory of 2772 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2244 wrote to memory of 2772 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2244 wrote to memory of 2276 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2244 wrote to memory of 2276 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2244 wrote to memory of 2276 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2772 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2772 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2772 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Users\Default\conhost.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe
PID 2160 wrote to memory of 2596 N/A C:\Users\Default\conhost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\conhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe

"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat" "

C:\MssurrogateBrowserDrivermonitor\reviewnet.exe

"C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtvPUwLvJY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\conhost.exe

"C:\Users\Default\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e595425-2b73-4195-8911-5c6073effb7a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e78716f-e5e2-46a7-b033-7b3ab4766850.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e916356-a953-44c7-8530-d95597a79d0b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaeb15bb-067f-488d-b567-db5b74597a9b.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2dc70cd-c7a7-4c95-b5a8-a7e778ae12bd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a16bf023-bf1b-40a1-95e9-135b9e30e542.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6768f131-2ea9-46bc-9e4c-ca0c7654fb2e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81884a55-d186-4193-ab92-cdc0d7d8131c.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731a0643-9b43-4ad9-aa55-421bf99ec43e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cea0326f-7242-486f-80cf-cbc364719b12.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54560b77-8407-4bae-a88d-20ef2533176f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebafc3d7-63cf-4cdf-bf32-b4596c185f48.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b0723a-52e8-40b0-9364-d19752616b1d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8fe92d0-f36c-4692-873f-84d41170c6ae.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b437ed2-39fd-41bc-b03d-3d2c491f60c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c60b3b21-5794-4d6c-b6e4-5d7f9ffc9e34.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1849ee88-3ca4-4367-9c5f-3ebf988c1e75.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\387d7a71-d1fd-440c-ab22-7c798371c211.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a259954-f278-4c40-b898-72a1ec086170.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c097a7e-8d46-484e-9a22-8a8e44529da8.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f32c890a-8ddf-418a-931f-fe1b3fd96af4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cadae5a-cca7-4446-a51c-86f7b9973bc9.vbs"

C:\Users\Default\conhost.exe

C:\Users\Default\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65075b9-6742-464f-b51a-0c98524da1b0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d4fca6-04ed-4edd-a021-6cdcbb7916a4.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1048068.xsph.ru udp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp

Files

C:\MssurrogateBrowserDrivermonitor\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe

MD5 b7946fc546ca743f534d88dddeee3f00
SHA1 668ed69a0b7a298e08a68e80161f7eeead3128a5
SHA256 8673980ed61a75db17016d3fe892f2c37ddc037f34032e2fd35626ed146d80d2
SHA512 7ee3cec4df1a0b2c5984ccf860a004dcaa3c3fa258370edabb50ccd3f92a8d3ab8daf1af1f5087a67a24bf285a34b040f36d7673f1f8e413dc931a201967712a

C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat

MD5 934b57a6b87ad62fbf72805fc7ed30d0
SHA1 04111b17e6b836077bca5c092dfd4e59657fbfae
SHA256 25bfd4297df8354c427f96c5569594300935745c03f15aa1e4097cff1be3f70d
SHA512 5737cbaa48b1c5804072681e58e8e9d55aa7d996614dd3ff6501afaea693aca3fe7275a811c7aad1bbb88057fea7a31a393cadf7c2761aeca32e1e1f83940b07

\MssurrogateBrowserDrivermonitor\reviewnet.exe

MD5 7d995f38d429ff33eaf4ce89f60585f9
SHA1 160f3163b335110d718e98390add6ca7a110a8ca
SHA256 49877051396a67dc531bb04d9745c78820a04e21ab3a6071906739ef48098b68
SHA512 61cb35e8469cd396b8487ca31542d0f505179283aa7d645344f2de7ffa47cfda0013bdfa2c5b29edd16978bce9a90fe2795a62e3dd4b900d9db5431b2d81f887

memory/2824-18-0x0000000000A90000-0x0000000000DFA000-memory.dmp

memory/2824-19-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/2824-20-0x00000000002D0000-0x00000000002DE000-memory.dmp

memory/2824-21-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/2824-22-0x0000000000410000-0x000000000042C000-memory.dmp

memory/2824-23-0x00000000002F0000-0x00000000002F8000-memory.dmp

memory/2824-24-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2824-25-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2824-26-0x0000000000550000-0x0000000000558000-memory.dmp

memory/2824-27-0x0000000002480000-0x0000000002492000-memory.dmp

memory/2824-28-0x0000000002470000-0x000000000247C000-memory.dmp

memory/2824-29-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2824-30-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/2824-31-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/2824-32-0x000000001B040000-0x000000001B096000-memory.dmp

memory/2824-33-0x00000000024C0000-0x00000000024CC000-memory.dmp

memory/2824-34-0x00000000024D0000-0x00000000024D8000-memory.dmp

memory/2824-35-0x00000000024E0000-0x00000000024EC000-memory.dmp

memory/2824-36-0x0000000002670000-0x0000000002678000-memory.dmp

memory/2824-37-0x0000000002680000-0x0000000002692000-memory.dmp

memory/2824-38-0x000000001AE00000-0x000000001AE0C000-memory.dmp

memory/2824-39-0x000000001AE10000-0x000000001AE1C000-memory.dmp

memory/2824-40-0x000000001AE20000-0x000000001AE28000-memory.dmp

memory/2824-41-0x000000001AE30000-0x000000001AE3C000-memory.dmp

memory/2824-42-0x000000001AE80000-0x000000001AE8C000-memory.dmp

memory/2824-43-0x000000001AE90000-0x000000001AE98000-memory.dmp

memory/2824-44-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

memory/2824-45-0x000000001AF30000-0x000000001AF3A000-memory.dmp

memory/2824-46-0x000000001B090000-0x000000001B09E000-memory.dmp

memory/2824-47-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

memory/2824-48-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

memory/2824-49-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

memory/2824-50-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

memory/2824-51-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

memory/2824-52-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

memory/2824-53-0x000000001B100000-0x000000001B10C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QtvPUwLvJY.bat

MD5 687152759715b1c7b613b2bfe38c9148
SHA1 3df9f7f1b7fac0b3357c74751430da25c02eb7d9
SHA256 3f3727cbda4f70737226d4abd554a673a4ce70e7a4b91dbf2005fa8dcd867107
SHA512 a605608677b9ed14a6c275189aac972418ab6bd7148b5984d1b7ce9b9fea139408bf55ae7dcf04c45849cd9855a43bc6dd119c57cc71ac3b3572e255ab8a2aa2

memory/2796-85-0x0000000000BF0000-0x0000000000F5A000-memory.dmp

memory/2796-86-0x000000001A950000-0x000000001A962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e595425-2b73-4195-8911-5c6073effb7a.vbs

MD5 c695b3772decbabc6e6bb97d17c5749a
SHA1 490d25d258116d24bea41653a6e703876f87419c
SHA256 6af67297ae72e2eabaabb2d0a6042401ad6bfb43afe23d3daebde437410d6dcd
SHA512 fc0c5c19c185e968de565d9fc1d71efc30abb49f093fff4c5b395c835c5077f4f0a91297fdab31702908f04b14c6019520cf44c4a6faa9f25af71774e52fe181

C:\Users\Admin\AppData\Local\Temp\9e78716f-e5e2-46a7-b033-7b3ab4766850.vbs

MD5 acbf55539bf530d14dc41327c3b69e2b
SHA1 087ae2b77d632b1baa9a79068e3621f7369c5b2e
SHA256 0bb5ad6fecbe44d6e417e55c2c6c19a6c48346216f400390b3d09a3dd07db417
SHA512 c5574e9d862939c920948eb971a6b2f9c769834129bfff81528d4977d1202bce3f2d6df9a345fc240f4eaa71c89aaf6aa95f7b39bce2e1de780c033c8b2526e7

memory/2348-97-0x00000000000E0000-0x000000000044A000-memory.dmp

memory/2348-98-0x0000000000850000-0x0000000000862000-memory.dmp

memory/2348-99-0x0000000000A90000-0x0000000000AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9e916356-a953-44c7-8530-d95597a79d0b.vbs

MD5 6af2877c20222110e7865a881839e413
SHA1 f7b0552fbcd880d02c9b818b24bbcf7bc2bfaeee
SHA256 5dab890617e8e2e0d9351e122f47dd491a73e75e93e4669435906625ddbf4b79
SHA512 5027136c6d808d19ea6d2eb1cb557db95b74d9e43aca88026e494dc93c9556414a15d686306158143a05b33edc11257f97e3b09a47c35d40d6cf950400b38687

memory/1972-111-0x0000000000310000-0x000000000067A000-memory.dmp

memory/1972-112-0x0000000000A00000-0x0000000000A12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2dc70cd-c7a7-4c95-b5a8-a7e778ae12bd.vbs

MD5 21ba07ca269a8c0ffebb619519f74404
SHA1 e8876648ff1a73bdced2181f92d74027297ac606
SHA256 1b1139dff868fc5bcb63e7ac9f40ea6ecf2f14338a48acddef890d8a1c7a2c99
SHA512 95e26a82c29bc53e05c1680cd21a0640a4d3a5a366d49382c000953000eab5b42cf7bdc0a21aeba7540f228ada6a74fbf82b561836d22b4b0bb7fe652ff6c87e

memory/2244-124-0x00000000003E0000-0x000000000074A000-memory.dmp

memory/2244-125-0x00000000022B0000-0x00000000022C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6768f131-2ea9-46bc-9e4c-ca0c7654fb2e.vbs

MD5 f61d1a15f79746e86ec1ce9f3e7cfff6
SHA1 1f1021b1675d137e4f55336175c1c4671d46f194
SHA256 2a09546aab0c114b10d1c33dc649b980271a15c624df434f8a8765a3c2603d88
SHA512 2a8ab1f9583dfa9bd4cf87d8a52ba6f527196b2c6dd12226bd79d47bffc084d7c87dcc468bb990076adf596956519a580e4179bb4f59ec78f16be51398ddd3ce

memory/2160-137-0x0000000000D30000-0x000000000109A000-memory.dmp

memory/2160-138-0x0000000000780000-0x0000000000792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\731a0643-9b43-4ad9-aa55-421bf99ec43e.vbs

MD5 42c281b3f2f088fa1c5e2fd7108df6fb
SHA1 76ae81c10498451a68ac1971ce87c4f760e23774
SHA256 f190dd71cc61508f26a7ea0f660a598dc35583fab040d6e6cf76f3e73e192195
SHA512 27692bedf5b84819b4437e9d44e2517eb09dc504edab243e46cc18497f9676710065b0520f5f8bec53f361c6c36508a7e5a20b222d954ab9d6c6b4fe92cb72a8

memory/2152-150-0x0000000001340000-0x00000000016AA000-memory.dmp

memory/2152-151-0x00000000012A0000-0x00000000012B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54560b77-8407-4bae-a88d-20ef2533176f.vbs

MD5 f58f58cdcbf38d71dee657a3a405606b
SHA1 f6ac6d8d9df09f3e7dc31340afe1103a4fef1126
SHA256 fa26540fdb9a61cb5930cb432228e7e1c5f41f6fffa9fa5dc0c4f1fbfc75933a
SHA512 732957c47720decedade0eac09d14d39896c28d4b9f7dac4e74f2b336b80a62f4af6dd386bce693ba32a636625414c5f39229ebd3b3d79e36b4049819c3c374e

C:\Users\Admin\AppData\Local\Temp\55b0723a-52e8-40b0-9364-d19752616b1d.vbs

MD5 c92124da15ddcbf14933c4b3e8180725
SHA1 2768e3ab2c7573e105119a4c0009d3dd06e67eff
SHA256 49df607934547a54bda8df192970b1bedc296912e7c7b632648d63edef9fcc12
SHA512 53e30b77ed52deb30c4c3ebc92010ad1f2caab3c2b734c3f10588d05f6dbe0f6ae6d7a8684dfbacd39fc8c4e017d999cdecb3230e5ab3b0fbcae2b8b3b7f6319

memory/2076-174-0x00000000002D0000-0x000000000063A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6b437ed2-39fd-41bc-b03d-3d2c491f60c5.vbs

MD5 49e4f9aaf17cd5a5e03c403c5ecd526a
SHA1 f1539bb3c97a6571ad54a8a4280add45f221c2ec
SHA256 7e730e47460f407c47790b910c770a871c94682250453d0aba571e45c823a0d7
SHA512 7dbc2e7097144122ac0e193d17e755b857f245aaddf6c54927380057e7feea908eb81d98c9c0b16fae76a1d7ec1e7ae19b45337eb0f0233befba969df49c83c7

memory/2996-186-0x0000000000160000-0x00000000004CA000-memory.dmp

memory/2996-187-0x0000000000A90000-0x0000000000AA2000-memory.dmp

memory/2996-188-0x00000000022F0000-0x0000000002346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1849ee88-3ca4-4367-9c5f-3ebf988c1e75.vbs

MD5 3184cd045797cef8e2c56ba3e9fe3a2b
SHA1 d6688e987a9e8311c0814a61b45bb7742f360f30
SHA256 b07934562145a0dfe3917099da07f74f29d741984745c0be7a3ee77cd9e03834
SHA512 cc575ad3d5a298df1698958899874b3bb668120b58968e06065fa5da39d5f0d9de3fdcc95cea4a3250a4cf6655bed5127c89bc3dbc56db28d67fe4d67e83094e

memory/912-200-0x0000000000AF0000-0x0000000000E5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3a259954-f278-4c40-b898-72a1ec086170.vbs

MD5 c41614d39bbc8abcde63d0ad6968c7b0
SHA1 1388172b2e1305f36ae07432415535529b911c76
SHA256 559a81cb59e598da4c2e6e20c07914e5673207e258435b37e8b5e3c3919cfb85
SHA512 89b34feea454b6a174019a0d32e133f065e39a660a2e8e982926f9e19a2b2be02781eaaf6d345679093d57da2b004e37ceb738fa5c291e62fba897be92617128

memory/1760-212-0x0000000000BE0000-0x0000000000F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f32c890a-8ddf-418a-931f-fe1b3fd96af4.vbs

MD5 eb420eb5c66a2a9ea3b196567f2c6065
SHA1 f7147ce910460c8a1f577a6c4115f1f4f904b809
SHA256 7c40dbab844b385dfe1da458d9fb380d6b2a1c678d4c72b740924db149cf6498
SHA512 06eaf836850d496f6245e48d79092e878f9ef54a02fa45bc1bac769162c4b13615e9f3d6d2649f9d510aa960c4ecd5cb13cada9353d33c0a9a42d6ef54f0de36

memory/2676-224-0x0000000001310000-0x000000000167A000-memory.dmp

memory/2676-225-0x0000000000C00000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b65075b9-6742-464f-b51a-0c98524da1b0.vbs

MD5 498037286fa8aa95237f5e11de0ea892
SHA1 ef7a9c7d0e95f616abfcd940e3ed5f4c7be16858
SHA256 5c5a1aef95c5f1f70a7eaa4dbdb12c41a5cd3dc9b06fe4b99a5004973ebba63d
SHA512 90f6c610bcfabc3fd5785534a9d05942a95efdf0f6e1d0fa9dd8667f441265a20f19864eb3769c3ae10a303f895602794f92c929a25e417576f3d3b7ee979726

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 20:25

Reported

2024-11-12 20:28

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\wininit.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Visualizations\5b884080fd4f94 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Crashpad\reports\29c1c3cc0f7685 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\ModifiableWindowsApps\services.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Crashpad\attachments\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Crashpad\attachments\ebf1f9fa8afd6d C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\ModifiableWindowsApps\WaaSMedicAgent.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Crashpad\reports\unsecapp.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Stationery\088424020bedd6 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\dllhost.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Windows\Offline Web Pages\5940a34987c991 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Windows\en-US\SppExtComObj.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File opened for modification C:\Windows\en-US\SppExtComObj.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Windows\en-US\e1ef82546f0b02 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Windows\Setup\State\RuntimeBroker.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
File created C:\Windows\Setup\State\9e8d7a4ca61bd9 C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe C:\Windows\SysWOW64\WScript.exe
PID 4752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
PID 2428 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
PID 468 wrote to memory of 4272 N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe C:\Windows\System32\cmd.exe
PID 468 wrote to memory of 4272 N/A C:\MssurrogateBrowserDrivermonitor\reviewnet.exe C:\Windows\System32\cmd.exe
PID 4272 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4272 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4272 wrote to memory of 3216 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\wininit.exe
PID 4272 wrote to memory of 3216 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\wininit.exe
PID 3216 wrote to memory of 4084 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3216 wrote to memory of 4084 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3216 wrote to memory of 1272 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3216 wrote to memory of 1272 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4084 wrote to memory of 3752 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4084 wrote to memory of 3752 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3752 wrote to memory of 4676 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3752 wrote to memory of 4676 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3752 wrote to memory of 2192 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3752 wrote to memory of 2192 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4676 wrote to memory of 1976 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4676 wrote to memory of 1976 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 1976 wrote to memory of 4584 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 4584 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 2208 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 2208 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4584 wrote to memory of 1196 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4584 wrote to memory of 1196 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 1196 wrote to memory of 1524 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1196 wrote to memory of 1524 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1196 wrote to memory of 3216 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1196 wrote to memory of 3216 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 4760 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 1524 wrote to memory of 4760 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4760 wrote to memory of 2424 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4760 wrote to memory of 2424 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4760 wrote to memory of 3780 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4760 wrote to memory of 3780 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 2424 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 2608 wrote to memory of 3692 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 3692 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 1044 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 1044 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3692 wrote to memory of 1028 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3692 wrote to memory of 1028 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 1028 wrote to memory of 4168 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1028 wrote to memory of 4168 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1028 wrote to memory of 4820 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1028 wrote to memory of 4820 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4168 wrote to memory of 4916 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4168 wrote to memory of 4916 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4916 wrote to memory of 1332 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4916 wrote to memory of 1332 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4916 wrote to memory of 3876 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4916 wrote to memory of 3876 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1332 wrote to memory of 540 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MssurrogateBrowserDrivermonitor\reviewnet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe

"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat" "

C:\MssurrogateBrowserDrivermonitor\reviewnet.exe

"C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewnetr" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\reviewnet.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewnet" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\reviewnet.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewnetr" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\reviewnet.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\reports\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MssurrogateBrowserDrivermonitor\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MssurrogateBrowserDrivermonitor\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\MssurrogateBrowserDrivermonitor\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\MssurrogateBrowserDrivermonitor\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vm34McNXba.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\wininit.exe

"C:\Recovery\WindowsRE\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a6b6d4-b4af-402d-aa3b-833005a43e38.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\959eb904-3fd0-49df-9c19-ff9e1ac1b075.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e6ffc69-153c-4008-8773-0faf3d205730.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daae4211-0956-4b07-b23c-70ad210d556d.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bc3a4b7-e2ee-4dd8-a976-bcd6f963a411.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b561d07-47f8-4fcb-a22d-11b509bc8877.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c1bcd4b-f3d3-4d4a-aa10-1684ac1ae2ee.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef67546b-4570-40f6-bc55-7dcfaa8af9f8.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cef5c35-44c1-4036-ac43-db74f5f5c5d7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be55c717-5f49-46a5-82d2-365ccc00b9b6.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba3666c3-bccc-4a5b-9d5c-682c4cd7c744.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ba3c50-4d30-4fb8-83fc-0e373e3e76b1.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\599fb552-b280-412d-a47c-2e7c22b45914.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8d4efb-4431-4440-8c4d-470a2ed97f56.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\720d8293-3b07-4317-9890-cb4620fd7d41.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d51c01b-1f5e-48cf-a886-d73098ea95b0.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5533b09d-4c1d-45b6-8ee2-f69248b671a1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3c65996-cef4-4d65-8d2d-73d46c56c3d5.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8bf11d-75e7-4177-b5e6-7460566b5bd6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bbefbd0-12bf-4f1a-b142-ba6f4fee96fa.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a758ae4f-c70f-422a-a210-5a3fa8f1cbe5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80262ab9-21a5-4c6c-b00e-69f8643a1e88.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d27ddd-b3fe-449d-abe1-ae57b72c2fbe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0963be25-1c0a-40f8-9b38-eb32a2892535.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf1cd4-48f1-455c-8d23-a0454695d6c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a671dab-7d1b-4cec-9962-fe62fa6fd290.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17afc447-5bbf-4381-9407-5641285e73a1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2e3d8d-3a81-4587-87bb-8b64f97d56aa.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 a1048068.xsph.ru udp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
US 8.8.8.8:53 149.194.8.141.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp
RU 141.8.194.149:80 a1048068.xsph.ru tcp

Files

C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe

MD5 b7946fc546ca743f534d88dddeee3f00
SHA1 668ed69a0b7a298e08a68e80161f7eeead3128a5
SHA256 8673980ed61a75db17016d3fe892f2c37ddc037f34032e2fd35626ed146d80d2
SHA512 7ee3cec4df1a0b2c5984ccf860a004dcaa3c3fa258370edabb50ccd3f92a8d3ab8daf1af1f5087a67a24bf285a34b040f36d7673f1f8e413dc931a201967712a

C:\MssurrogateBrowserDrivermonitor\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat

MD5 934b57a6b87ad62fbf72805fc7ed30d0
SHA1 04111b17e6b836077bca5c092dfd4e59657fbfae
SHA256 25bfd4297df8354c427f96c5569594300935745c03f15aa1e4097cff1be3f70d
SHA512 5737cbaa48b1c5804072681e58e8e9d55aa7d996614dd3ff6501afaea693aca3fe7275a811c7aad1bbb88057fea7a31a393cadf7c2761aeca32e1e1f83940b07

C:\MssurrogateBrowserDrivermonitor\reviewnet.exe

MD5 7d995f38d429ff33eaf4ce89f60585f9
SHA1 160f3163b335110d718e98390add6ca7a110a8ca
SHA256 49877051396a67dc531bb04d9745c78820a04e21ab3a6071906739ef48098b68
SHA512 61cb35e8469cd396b8487ca31542d0f505179283aa7d645344f2de7ffa47cfda0013bdfa2c5b29edd16978bce9a90fe2795a62e3dd4b900d9db5431b2d81f887

memory/468-17-0x0000000000970000-0x0000000000CDA000-memory.dmp

memory/468-18-0x0000000001630000-0x000000000163E000-memory.dmp

memory/468-19-0x0000000001640000-0x000000000164E000-memory.dmp

memory/468-20-0x0000000001650000-0x0000000001658000-memory.dmp

memory/468-21-0x0000000002F40000-0x0000000002F5C000-memory.dmp

memory/468-22-0x0000000002FD0000-0x0000000003020000-memory.dmp

memory/468-24-0x0000000001680000-0x0000000001690000-memory.dmp

memory/468-23-0x0000000001660000-0x0000000001668000-memory.dmp

memory/468-26-0x0000000002F60000-0x0000000002F68000-memory.dmp

memory/468-27-0x0000000002FA0000-0x0000000002FB2000-memory.dmp

memory/468-25-0x0000000002F80000-0x0000000002F96000-memory.dmp

memory/468-28-0x0000000002FC0000-0x0000000002FCC000-memory.dmp

memory/468-29-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

memory/468-30-0x000000001BA00000-0x000000001BA10000-memory.dmp

memory/468-31-0x000000001BA10000-0x000000001BA1A000-memory.dmp

memory/468-32-0x000000001C160000-0x000000001C1B6000-memory.dmp

memory/468-33-0x000000001BA20000-0x000000001BA2C000-memory.dmp

memory/468-34-0x000000001BA30000-0x000000001BA38000-memory.dmp

memory/468-35-0x000000001BA40000-0x000000001BA4C000-memory.dmp

memory/468-36-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

memory/468-37-0x000000001C1C0000-0x000000001C1D2000-memory.dmp

memory/468-38-0x000000001C720000-0x000000001CC48000-memory.dmp

memory/468-39-0x000000001C1F0000-0x000000001C1FC000-memory.dmp

memory/468-40-0x000000001C200000-0x000000001C20C000-memory.dmp

memory/468-41-0x000000001C210000-0x000000001C218000-memory.dmp

memory/468-42-0x000000001C220000-0x000000001C22C000-memory.dmp

memory/468-43-0x000000001C230000-0x000000001C23C000-memory.dmp

memory/468-44-0x000000001C4B0000-0x000000001C4B8000-memory.dmp

memory/468-45-0x000000001C440000-0x000000001C44C000-memory.dmp

memory/468-46-0x000000001C450000-0x000000001C45A000-memory.dmp

memory/468-48-0x000000001C470000-0x000000001C478000-memory.dmp

memory/468-47-0x000000001C460000-0x000000001C46E000-memory.dmp

memory/468-49-0x000000001C480000-0x000000001C48E000-memory.dmp

memory/468-50-0x000000001C490000-0x000000001C498000-memory.dmp

memory/468-51-0x000000001C4A0000-0x000000001C4AC000-memory.dmp

memory/468-52-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

memory/468-53-0x000000001C5D0000-0x000000001C5DA000-memory.dmp

memory/468-54-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vm34McNXba.bat

MD5 12452457e4b21319f6c65b7bf4b66eee
SHA1 e66a7d68fa930964ee052e9b6c88dde54adf6a7f
SHA256 2a3fbc6bc06af99a8b510e791c476b24ea0da8e0ccf958261eb230884e15b3a1
SHA512 18d517f006af0a84a68c7827b8ca9097db8434fbe99a3bb596c2216fc2653cb28de7976915901d253f1a5e69c3b36ffb99e9b3de9ffe324350e2f9c21c608155

C:\Users\Admin\AppData\Local\Temp\c9a6b6d4-b4af-402d-aa3b-833005a43e38.vbs

MD5 95eef1921b064e392fff82d5ee5bcf57
SHA1 2e368724e5d2504bc9135012cb21512fc1cfc5e2
SHA256 360c63989f981bf2d8d09180b280994efda22ee048e1cc2bc8a7500b2e61f850
SHA512 fea1ff17f741bfa71e64a0fa5d7f9d8009660b60aaed6fb63bd4b57cb00d132cb4ce2a2092f81565723abeb3e705a9b30694c1c9a850f6d304f039a1b37dc3f8

C:\Users\Admin\AppData\Local\Temp\959eb904-3fd0-49df-9c19-ff9e1ac1b075.vbs

MD5 4bbea4f9195d114e75bc972246ec647e
SHA1 c1fe4d4962fc6f237aab9c54cff4456477f04fd6
SHA256 4319fd7e7bb4beadd84573ef179b08e10c338eeb458f74649396064d38a9f5f0
SHA512 7d62e1098f16ae3014527a414c76363856684ffaf3cb65ff390d1646ec3319539cb19ab9f20d3763b6a00fe569abfb0bb9560e6d658bfc1c09759aa9d7d8ac75

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\1e6ffc69-153c-4008-8773-0faf3d205730.vbs

MD5 a4202fb34e74c4eefb25e649fd684f0e
SHA1 e3982c9eb41c0e24919c58af38cec210e6720342
SHA256 9b858ab7345523e49158f20d0a6c77794f05d69039a6dfe49930c879e95174f5
SHA512 04c6c4254bfcd30272c276b91832833c4c9ac7fa70d1d0f7bf836316f79f8fd72dcb34273b0d566ac8cd93425d5162edab71730d49431f8dca65d220fe264b5d

memory/1976-125-0x000000001C630000-0x000000001C642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1bc3a4b7-e2ee-4dd8-a976-bcd6f963a411.vbs

MD5 10030b8650216e5697c251e832860a1c
SHA1 d3ea29dd460e786742c2b985d2a4c7f34170399d
SHA256 efe11761cdbf2da55af6cd12d7eb23fc577c3e6591816eb9ac7163da0b6f2ac1
SHA512 2a8221ff168a342fd4b2ca6ecc295fee6ed10ee36a10ceee4e2988e712d7b99006fb543d55bd07d7831bd28361dc16d34f8eaab6cf6537226e979638debc59e7

C:\Users\Admin\AppData\Local\Temp\2c1bcd4b-f3d3-4d4a-aa10-1684ac1ae2ee.vbs

MD5 d2a74e34a030599e9719b46bb56a64d2
SHA1 17be7f5c41878f9d9a06a060d5d98b3ed0237873
SHA256 46b5f3cbf47c514a210cb9318c1c919b15c274b28adb69acc2b5914617fbbaff
SHA512 ad63bf094cf585bf8681adf83b793778308c07975d4f8af4039dccfbb0f7abf15df386cfb588feca0700d49775eabc6045c33e129925464967b3baaad66638a9

memory/4760-148-0x000000001C710000-0x000000001C722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3cef5c35-44c1-4036-ac43-db74f5f5c5d7.vbs

MD5 0ca858f68176444ddcfcffdce18f3df1
SHA1 6918ebe86d089e0da5ec9c201f3e6f4778a69805
SHA256 8dc6697682103d98c3ed3193578f58109a81dfc3bb423baa4379ed777069556d
SHA512 cd0fa87b8a4a05dcd4d4fb179e9f218d7e4b1d92224fa15c018fac22dbc02194bdcc0d34104d8f7329bbcd4456d8b335f7efa3a2afe73f130bb38c10591fe074

memory/2608-160-0x000000001C010000-0x000000001C022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba3666c3-bccc-4a5b-9d5c-682c4cd7c744.vbs

MD5 c9c18fbabb1c02ac1ed05a9d1779c579
SHA1 09d72fa4aa4736251b95d9a5221f514c619f03a0
SHA256 54cece1f9ebfdd95f79f7020f8763eff05d0b50b754e55fd36010b8fefb26730
SHA512 43faf6d6746f4574c7130a8ccdea5d20d6f44ad88b1fc332de34d2dc7fb185261cd8e93056d78c5dea84c67253cbf4674b7b997cd8356897aff8b41793baeaca

C:\Users\Admin\AppData\Local\Temp\599fb552-b280-412d-a47c-2e7c22b45914.vbs

MD5 0c3401745d41256ddd3461c107b938fa
SHA1 ea146ee2e47336ad27edb16ba3f85b6da76852fe
SHA256 ca0e1531d7bdc7ebd2e5b6f682546e65fcfc061a8f7b07baf68cde64439894c1
SHA512 f6052c55fc4dbcbe59d936cb66772aaeff9395c2c34bdeff96ee42f5c371499c692e48cea98cb7d535eccdac80b6ba792cf411caebef0dbf7c1b094200c566dd

C:\Users\Admin\AppData\Local\Temp\720d8293-3b07-4317-9890-cb4620fd7d41.vbs

MD5 32ea7714b75094a5db9472ccd639faa6
SHA1 1ba678bc5d018a5fba31f69f12b4f92c8ddc088a
SHA256 57ee4c1e95fdc86b1b1d0908b5433bcf0551c1c69901cb6f7900d7093a0464f9
SHA512 13829b9307c5d8e357cdd31f92e6a41cb31a78eba6b652a44bfd93fc1368d8b7f47d1b6f5c4dda3a2f9fd4f8d471be1939c05080bd1559dc015262851c98e95e

C:\Users\Admin\AppData\Local\Temp\5533b09d-4c1d-45b6-8ee2-f69248b671a1.vbs

MD5 db5d951f24ce698c4b9f5529f0f50289
SHA1 58d7cb1c5dc9e5352069918287ab8218566ee42b
SHA256 03b9b4b5e130fba2d34365e26884625acb6327250812dd9acdca277224cf000b
SHA512 0bd93595eafa079fb510a20520bdef1c0675e6b53da3252d97130357bc4083d678cb8a839d88ec18d4264989a48daa96719462b5ad5a7f5418166c396bee9b47

memory/3264-205-0x000000001B810000-0x000000001B822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7b8bf11d-75e7-4177-b5e6-7460566b5bd6.vbs

MD5 f67e5b8a620df2dbe7f5afeded32d908
SHA1 0939f24b123eced48a4003c2c3bbb6fdfbdc2842
SHA256 16174c449fbb584db0a80df8c195fb5ff3facd08a37942af45433b75026264b7
SHA512 9ad6c779f31b98a4b4a7e6d5576fc99c25af54c6edb1e0aa6d2c3079c17503bafc7cc76372391d4d800bb95f27db99f8df0c3e9646d179cdbbace842d0b53271

memory/1760-217-0x000000001BE60000-0x000000001BE72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a758ae4f-c70f-422a-a210-5a3fa8f1cbe5.vbs

MD5 86f0d6ffb22f0bdcda7b9874db9c180b
SHA1 8fc73cfbdb1293b5cbc2f473cf476d3c373c10b6
SHA256 8662f32753567b6263b1cb6c4819b6777b234d8cbd7ae6da312b59b5ff578397
SHA512 dfd31ec7718707ac16c56d108b22230e7f17c3afa2788fa6831d38dfa4646d01e9ac453197594e86c5bb38424ebbb34e27a1c8265ea61f1d0eb37342664dcfc5

C:\Users\Admin\AppData\Local\Temp\b5d27ddd-b3fe-449d-abe1-ae57b72c2fbe.vbs

MD5 175748edf4626206049f759592e0b67d
SHA1 1b37616ebb585d1b80162fe5e4190973d95648a6
SHA256 bfc8e0a6494079189f95d2701038e07f5bc20da88a76905bee19690e66cff312
SHA512 2dfb955329321a82ca178cb66b9ba5193b0da58e5890d2d3b12cd1ee622fce0fc60e2fd09cac60393f658efd82770568b0a9f0efe3a5fc2aaa24ab27c93e5e7b

memory/4760-240-0x0000000002F30000-0x0000000002F42000-memory.dmp

memory/3264-252-0x000000001C580000-0x000000001C592000-memory.dmp