Source: dump.pcap, type: PCAP | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE | Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: dump.pcap, type: PCAP | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01364138 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01361F10 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01362D10 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01363230 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01367C38 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01362840 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_0136804F |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01360448 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_013622B0 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01365BA8 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01360390 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01365B99 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_013641F9 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_013641D1 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01366231 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01366638 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01364227 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01366428 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01366628 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01367C28 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01366419 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_0136420C |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01367464 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01365068 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01367468 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01361268 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01361E58 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01365058 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01366240 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_01364040 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Code function: 0_2_013642F3 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_00DF1BDD |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_00DF1F98 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_00DF0E88 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_00DF0E78 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_0293322B |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02937A50 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02932840 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02930448 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_0293804F |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02931F10 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02932D10 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02934138 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_029342F3 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02936419 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_0293420C |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02936231 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02931237 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02937A3A |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02936638 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02934227 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02936428 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02936628 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02931E58 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02935058 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02937442 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02936240 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02934040 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02935068 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02937468 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02935B99 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_02935BA8 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_029341D1 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_029341F9 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_04B39458 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_04B3DDF0 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_04B38330 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_04B38320 |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Code function: 10_2_04B32BD0 |
Source: unknown | Process created: C:\Users\user\Desktop\DCwTjs2dTP.exe "C:\Users\user\Desktop\DCwTjs2dTP.exe" |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe" |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe" |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Queries volume information: C:\Users\user\Desktop\DCwTjs2dTP.exe VolumeInformation |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation |
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation |
Source: C:\Windows\SysWOW64\cmd.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Users\user\AppData\Roaming\sihost.exe VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation |
Source: C:\Users\user\AppData\Roaming\sihost.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation |