dcrat | d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

Analysis

max time kernel
82s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/03/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa690c0fc39cd9fd36bec2dd30f03ba.exe
Size

2.9MB
MD5

caa690c0fc39cd9fd36bec2dd30f03ba
SHA1

3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0
SHA256

d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b
SHA512

f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a
SSDEEP

49152:CEvU1J8dN6XYbTGw5i+4pK1XWdOcYF62tLmkyWM2tG8r3p+7:CEvA/YbTjt6LkLLt1LrZ

Score

10^/10

dcrat discovery evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat 30 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Program Files (x86)\Google\Temp\24dbde2999530e		caa690c0fc39cd9fd36bec2dd30f03ba.exe
		736	schtasks.exe
		2896	schtasks.exe
		336	schtasks.exe
		1396	schtasks.exe
		1504	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		caa690c0fc39cd9fd36bec2dd30f03ba.exe
		2916	schtasks.exe
		2940	schtasks.exe
		2772	schtasks.exe
		912	schtasks.exe
		872	schtasks.exe
		2688	schtasks.exe
		2704	schtasks.exe
		2728	schtasks.exe
		2756	schtasks.exe
		1768	schtasks.exe
		1772	schtasks.exe
		1968	schtasks.exe
		2824	schtasks.exe
		2844	schtasks.exe
		1080	schtasks.exe
		1528	schtasks.exe
		1820	schtasks.exe
		2864	schtasks.exe
		1084	schtasks.exe
		1264	schtasks.exe
		2796	schtasks.exe
		1668	schtasks.exe
File created	C:\Program Files\Windows NT\24dbde2999530e		caa690c0fc39cd9fd36bec2dd30f03ba.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1640	schtasks.exe	28

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1676-54-0x0000000000960000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/files/0x0007000000013987-85.dat	dcrat
behavioral1/files/0x0008000000013b85-112.dat	dcrat
behavioral1/files/0x00070000000130ff-188.dat	dcrat
behavioral1/files/0x0006000000014ef7-272.dat	dcrat
behavioral1/files/0x0006000000014ef7-307.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
2320	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Windows NT\RCX213C.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX1CE7.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Windows NT\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Windows Mail\en-US\75a57c1bdf437c	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX1CD7.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Windows NT\RCX214C.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files (x86)\Google\Temp\24dbde2999530e	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Windows NT\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Windows NT\24dbde2999530e	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Windows Mail\en-US\WMIADAP.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\WMIADAP.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
336	schtasks.exe
872	schtasks.exe
2704	schtasks.exe
2824	schtasks.exe
1504	schtasks.exe
1772	schtasks.exe
1080	schtasks.exe
2844	schtasks.exe
2796	schtasks.exe
2864	schtasks.exe
1084	schtasks.exe
912	schtasks.exe
1396	schtasks.exe
1820	schtasks.exe
1668	schtasks.exe
1768	schtasks.exe
1968	schtasks.exe
2756	schtasks.exe
2772	schtasks.exe
2896	schtasks.exe
2916	schtasks.exe
2728	schtasks.exe
2940	schtasks.exe
736	schtasks.exe
1528	schtasks.exe
1264	schtasks.exe
2688	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15A954D1-BE2D-11ED-AE25-CED2106B5FC8} = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe
1932	powershell.exe
1584	powershell.exe
1524	powershell.exe
1396	powershell.exe
740	powershell.exe
336	powershell.exe
300	powershell.exe
1140	powershell.exe
1392	powershell.exe
1732	powershell.exe
768	powershell.exe
1320	powershell.exe
2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
868	powershell.exe
3016	powershell.exe
3048	powershell.exe
3040	powershell.exe
1940	powershell.exe
512	powershell.exe
3032	powershell.exe
3000	powershell.exe
1356	powershell.exe
2992	powershell.exe
3024	powershell.exe
272	powershell.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	2320	spoolsv.exe
Token: SeBackupPrivilege	1336	vssvc.exe
Token: SeRestorePrivilege	1336	vssvc.exe
Token: SeAuditPrivilege	1336	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1296	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1296	iexplore.exe
1296	iexplore.exe
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 336	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	44
PID 1676 wrote to memory of 336	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	44
PID 1676 wrote to memory of 336	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	44
PID 1676 wrote to memory of 1932	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	45
PID 1676 wrote to memory of 1932	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	45
PID 1676 wrote to memory of 1932	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	45
PID 1676 wrote to memory of 1140	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	46
PID 1676 wrote to memory of 1140	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	46
PID 1676 wrote to memory of 1140	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	46
PID 1676 wrote to memory of 740	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	47
PID 1676 wrote to memory of 740	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	47
PID 1676 wrote to memory of 740	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	47
PID 1676 wrote to memory of 1392	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	48
PID 1676 wrote to memory of 1392	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	48
PID 1676 wrote to memory of 1392	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	48
PID 1676 wrote to memory of 1396	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	49
PID 1676 wrote to memory of 1396	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	49
PID 1676 wrote to memory of 1396	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	49
PID 1676 wrote to memory of 300	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	50
PID 1676 wrote to memory of 300	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	50
PID 1676 wrote to memory of 300	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	50
PID 1676 wrote to memory of 1584	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	51
PID 1676 wrote to memory of 1584	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	51
PID 1676 wrote to memory of 1584	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	51
PID 1676 wrote to memory of 1320	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	52
PID 1676 wrote to memory of 1320	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	52
PID 1676 wrote to memory of 1320	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	52
PID 1676 wrote to memory of 1524	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	53
PID 1676 wrote to memory of 1524	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	53
PID 1676 wrote to memory of 1524	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	53
PID 1676 wrote to memory of 1732	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	54
PID 1676 wrote to memory of 1732	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	54
PID 1676 wrote to memory of 1732	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	54
PID 1676 wrote to memory of 768	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	55
PID 1676 wrote to memory of 768	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	55
PID 1676 wrote to memory of 768	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	55
PID 1676 wrote to memory of 2148	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	68
PID 1676 wrote to memory of 2148	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	68
PID 1676 wrote to memory of 2148	1676	caa690c0fc39cd9fd36bec2dd30f03ba.exe	68
PID 2148 wrote to memory of 2992	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	81
PID 2148 wrote to memory of 2992	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	81
PID 2148 wrote to memory of 2992	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	81
PID 2148 wrote to memory of 3000	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	104
PID 2148 wrote to memory of 3000	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	104
PID 2148 wrote to memory of 3000	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	104
PID 2148 wrote to memory of 3016	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	82
PID 2148 wrote to memory of 3016	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	82
PID 2148 wrote to memory of 3016	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	82
PID 2148 wrote to memory of 3024	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	102
PID 2148 wrote to memory of 3024	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	102
PID 2148 wrote to memory of 3024	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	102
PID 2148 wrote to memory of 3032	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	83
PID 2148 wrote to memory of 3032	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	83
PID 2148 wrote to memory of 3032	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	83
PID 2148 wrote to memory of 3040	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	84
PID 2148 wrote to memory of 3040	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	84
PID 2148 wrote to memory of 3040	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	84
PID 2148 wrote to memory of 3048	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	85
PID 2148 wrote to memory of 3048	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	85
PID 2148 wrote to memory of 3048	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	85
PID 2148 wrote to memory of 1356	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	86
PID 2148 wrote to memory of 1356	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	86
PID 2148 wrote to memory of 1356	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	86
PID 2148 wrote to memory of 512	2148	caa690c0fc39cd9fd36bec2dd30f03ba.exe	87

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe
"C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe
  "C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
    "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2320
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e23c483c-66c0-4518-aedc-41fd9484ca99.vbs"
      4⤵
      PID:2892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed7afce-a7e9-492f-b6f0-a70ed592217f.vbs"
      4⤵
      PID:2724
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12868/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1296
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
C:\Program Files\Windows NT\RCX214C.tmp

Filesize
2.9MB

MD5
393f7810c51e9fae12e95b05a9622404

SHA1
fd639e0d2f80ae4c0157b3184a1b8704ee798057

SHA256
7093de61d6787275ac75f5579086a333e06cceefd4f783d4d1ca3b8999981708

SHA512
f468e6785c7f07dc6eb63d49c2a7568dd9e5232e4d3ba108aa012be1167fc91fd8a89ff07886af695c26ec77f6c14e73c6f14a931f1b5a3e5bda4137fda0e455

Download Submit
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\winlogon.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e422078463a17f5c882f89d68733311

SHA1
262babbbaffae0db8b95b51f743cc7f66ae5ce0d

SHA256
8ed0d419996998702f5b3e3f9a07480467fc699508df8a22080de2f3fe2e26fc

SHA512
f074487c1813a6ee2405c9a3be1877907529ac8e2fdefecd2f8b5014da234a243ecfea8872e6610d8fc2d57057dda6ace3e2085b4c91f673ef502784fa48452e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ed7afce-a7e9-492f-b6f0-a70ed592217f.vbs

Filesize
511B

MD5
f506a96e39277c652f5587947ff9be1b

SHA1
1a960a812e813ea01debb5c0459aa5ec3ef8cea6

SHA256
79424391bee496d6d748a7f8147f1a56d6fdc2e5f7b9e06f090733475796fea2

SHA512
e8cef7bc88b6491b7272200e657f19344974196db97d60002e29dca1ce57e5fcce5d1b2e35279b545ae42f2e2e02133c9918b32109a0ba1ec6b2eddaad2055f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1039.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab10D7.tmp

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1188.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e23c483c-66c0-4518-aedc-41fd9484ca99.vbs

Filesize
735B

MD5
805c61af01370131aa541583685b15a1

SHA1
8816372f2ba844067309cbecaf4ac58c9abe6f5f

SHA256
05bd475e3cef7000444783eb0ad905ea95ecb1c8a18d5739330593faf94717b6

SHA512
37daa23cf3bec2a3d2b65a545ebd2eb54c9ba5ee69d5ea455cc6068cc321925ae5176670d18d0244a812d4c0b83576e1b72e4919cf8e22807d41f7e99862d2db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ANEURTNYA15ONAEJE8AG.temp

Filesize
7KB

MD5
cb1d96a01ee03568ff0e42e11fe77fb0

SHA1
136628859a58d4d2606060bb0d455e6b246542e1

SHA256
2bcc73cbc6f45f7107fb3ae9845802a994e0943a0dc2a7c5bfc1f12ea1ba6fa7

SHA512
9ad8f32ec429cab1f8a8ccd54b81ab73e3688474f68715321bbc17dad555f1638b8983689b7a3b2caf2e5e645048ce643647f9ba3dcb2e8b39f590fdb3297e9f

Download Submit
memory/300-235-0x00000000028FB000-0x0000000002932000-memory.dmp

Filesize
220KB

Download
memory/300-218-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/300-219-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/336-234-0x000000000274B000-0x0000000002782000-memory.dmp

Filesize
220KB

Download
memory/336-217-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/336-214-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/740-210-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/740-229-0x000000000294B000-0x0000000002982000-memory.dmp

Filesize
220KB

Download
memory/740-215-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/740-216-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/768-227-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/768-230-0x00000000023DB000-0x0000000002412000-memory.dmp

Filesize
220KB

Download
memory/768-228-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/768-226-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/868-295-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1140-153-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/1140-205-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1140-232-0x000000000249B000-0x00000000024D2000-memory.dmp

Filesize
220KB

Download
memory/1140-206-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1296-479-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1320-222-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1320-203-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1320-233-0x000000000272B000-0x0000000002762000-memory.dmp

Filesize
220KB

Download
memory/1392-220-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1392-221-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1392-236-0x000000000285B000-0x0000000002892000-memory.dmp

Filesize
220KB

Download
memory/1396-208-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1396-212-0x00000000028BB000-0x00000000028F2000-memory.dmp

Filesize
220KB

Download
memory/1524-207-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/1524-211-0x000000000299B000-0x00000000029D2000-memory.dmp

Filesize
220KB

Download
memory/1584-209-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/1584-213-0x0000000002A0B000-0x0000000002A42000-memory.dmp

Filesize
220KB

Download
memory/1676-64-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1676-73-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/1676-55-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/1676-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1676-57-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/1676-58-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/1676-59-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/1676-76-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/1676-75-0x000000001AF50000-0x000000001AF5A000-memory.dmp

Filesize
40KB

Download
memory/1676-60-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/1676-74-0x000000001AF30000-0x000000001AF3C000-memory.dmp

Filesize
48KB

Download
memory/1676-63-0x00000000024D0000-0x00000000024DC000-memory.dmp

Filesize
48KB

Download
memory/1676-72-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/1676-71-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/1676-70-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/1676-69-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/1676-61-0x00000000022F0000-0x00000000022FA000-memory.dmp

Filesize
40KB

Download
memory/1676-62-0x0000000002480000-0x00000000024D6000-memory.dmp

Filesize
344KB

Download
memory/1676-68-0x000000001AA40000-0x000000001AA48000-memory.dmp

Filesize
32KB

Download
memory/1676-67-0x000000001AA30000-0x000000001AA38000-memory.dmp

Filesize
32KB

Download
memory/1676-66-0x000000001AA20000-0x000000001AA2C000-memory.dmp

Filesize
48KB

Download
memory/1676-65-0x000000001AA10000-0x000000001AA18000-memory.dmp

Filesize
32KB

Download
memory/1676-54-0x0000000000960000-0x0000000000C40000-memory.dmp

Filesize
2.9MB

Download
memory/1732-231-0x000000000269B000-0x00000000026D2000-memory.dmp

Filesize
220KB

Download
memory/1732-225-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1732-224-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1732-223-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1932-202-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1932-154-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/1932-204-0x00000000028BB000-0x00000000028F2000-memory.dmp

Filesize
220KB

Download
memory/2148-238-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/2148-237-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2160-480-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/2992-292-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download