dcrat | 77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 03:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Size

1.5MB
MD5

fe4cdaa8bb823a19b57051a1a51824b4
SHA1

51e89aeb5373c875f87ce19fbfcbf2e8ff491379
SHA256

77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a
SHA512

a91f394221dbdf8fb553536c0a6817dd1bc3990bdf15c006e65509c3a5c091db70c684a308dbec33f37c9db95f76d12cf227dc01b8f41ff50e5dd8823407438c
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\System32\xpsrchvw\69ddcba757bf72		77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
		2688	schtasks.exe
		2628	schtasks.exe
		2532	schtasks.exe
		2548	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\xpsrchvw\\smss.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\xpsrchvw\\smss.exe\", \"C:\\Windows\\System32\\pcwum\\dwm.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\xpsrchvw\\smss.exe\", \"C:\\Windows\\System32\\pcwum\\dwm.exe\", \"C:\\Windows\\System32\\api-ms-win-core-datetime-l1-1-0\\winlogon.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\xpsrchvw\\smss.exe\", \"C:\\Windows\\System32\\pcwum\\dwm.exe\", \"C:\\Windows\\System32\\api-ms-win-core-datetime-l1-1-0\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsetup\\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2692	schtasks.exe	28

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe

Executes dropped EXE 15 IoCs

pid	Process
1480	winlogon.exe
692	winlogon.exe
2624	winlogon.exe
2872	winlogon.exe
1616	winlogon.exe
1832	winlogon.exe
1756	winlogon.exe
2528	winlogon.exe
1528	winlogon.exe
2044	winlogon.exe
1684	winlogon.exe
2168	winlogon.exe
580	winlogon.exe
3036	winlogon.exe
2568	winlogon.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\xpsrchvw\\smss.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\pcwum\\dwm.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\pcwum\\dwm.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\api-ms-win-core-datetime-l1-1-0\\winlogon.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\api-ms-win-core-datetime-l1-1-0\\winlogon.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsetup\\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsetup\\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\xpsrchvw\\smss.exe\""	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\RCX4924.tmp	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File opened for modification	C:\Windows\System32\xpsrchvw\smss.exe	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File created	C:\Windows\System32\xpsrchvw\69ddcba757bf72	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File created	C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\cc11b995f2a76d	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File opened for modification	C:\Windows\System32\pcwum\RCX4720.tmp	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File opened for modification	C:\Windows\System32\xpsrchvw\RCX44AF.tmp	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File opened for modification	C:\Windows\System32\pcwum\dwm.exe	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File created	C:\Windows\System32\xpsrchvw\smss.exe	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File created	C:\Windows\System32\pcwum\dwm.exe	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File created	C:\Windows\System32\pcwum\6cb0b6c459d5d3	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
File created	C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2548	schtasks.exe
2688	schtasks.exe
2628	schtasks.exe
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
3036	powershell.exe
1872	powershell.exe
2992	powershell.exe
3016	powershell.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1860	powershell.exe
1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
1480	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe
692	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1480	winlogon.exe
Token: SeDebugPrivilege	692	winlogon.exe
Token: SeDebugPrivilege	2624	winlogon.exe
Token: SeDebugPrivilege	2872	winlogon.exe
Token: SeDebugPrivilege	1616	winlogon.exe
Token: SeDebugPrivilege	1832	winlogon.exe
Token: SeDebugPrivilege	1756	winlogon.exe
Token: SeDebugPrivilege	2528	winlogon.exe
Token: SeDebugPrivilege	1528	winlogon.exe
Token: SeDebugPrivilege	2044	winlogon.exe
Token: SeDebugPrivilege	1684	winlogon.exe
Token: SeDebugPrivilege	2168	winlogon.exe
Token: SeDebugPrivilege	580	winlogon.exe
Token: SeDebugPrivilege	3036	winlogon.exe
Token: SeDebugPrivilege	2568	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2992	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	33
PID 1096 wrote to memory of 2992	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	33
PID 1096 wrote to memory of 2992	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	33
PID 1096 wrote to memory of 1872	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	34
PID 1096 wrote to memory of 1872	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	34
PID 1096 wrote to memory of 1872	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	34
PID 1096 wrote to memory of 3016	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	36
PID 1096 wrote to memory of 3016	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	36
PID 1096 wrote to memory of 3016	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	36
PID 1096 wrote to memory of 1860	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	35
PID 1096 wrote to memory of 1860	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	35
PID 1096 wrote to memory of 1860	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	35
PID 1096 wrote to memory of 3036	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	41
PID 1096 wrote to memory of 3036	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	41
PID 1096 wrote to memory of 3036	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	41
PID 1096 wrote to memory of 1480	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	43
PID 1096 wrote to memory of 1480	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	43
PID 1096 wrote to memory of 1480	1096	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe	43
PID 1480 wrote to memory of 1916	1480	winlogon.exe	44
PID 1480 wrote to memory of 1916	1480	winlogon.exe	44
PID 1480 wrote to memory of 1916	1480	winlogon.exe	44
PID 1480 wrote to memory of 340	1480	winlogon.exe	45
PID 1480 wrote to memory of 340	1480	winlogon.exe	45
PID 1480 wrote to memory of 340	1480	winlogon.exe	45
PID 1916 wrote to memory of 692	1916	WScript.exe	46
PID 1916 wrote to memory of 692	1916	WScript.exe	46
PID 1916 wrote to memory of 692	1916	WScript.exe	46
PID 692 wrote to memory of 1748	692	winlogon.exe	47
PID 692 wrote to memory of 1748	692	winlogon.exe	47
PID 692 wrote to memory of 1748	692	winlogon.exe	47
PID 692 wrote to memory of 1716	692	winlogon.exe	48
PID 692 wrote to memory of 1716	692	winlogon.exe	48
PID 692 wrote to memory of 1716	692	winlogon.exe	48
PID 1748 wrote to memory of 2624	1748	WScript.exe	49
PID 1748 wrote to memory of 2624	1748	WScript.exe	49
PID 1748 wrote to memory of 2624	1748	WScript.exe	49
PID 2624 wrote to memory of 3028	2624	winlogon.exe	50
PID 2624 wrote to memory of 3028	2624	winlogon.exe	50
PID 2624 wrote to memory of 3028	2624	winlogon.exe	50
PID 2624 wrote to memory of 3044	2624	winlogon.exe	51
PID 2624 wrote to memory of 3044	2624	winlogon.exe	51
PID 2624 wrote to memory of 3044	2624	winlogon.exe	51
PID 3028 wrote to memory of 2872	3028	WScript.exe	54
PID 3028 wrote to memory of 2872	3028	WScript.exe	54
PID 3028 wrote to memory of 2872	3028	WScript.exe	54
PID 2872 wrote to memory of 2892	2872	winlogon.exe	55
PID 2872 wrote to memory of 2892	2872	winlogon.exe	55
PID 2872 wrote to memory of 2892	2872	winlogon.exe	55
PID 2872 wrote to memory of 2940	2872	winlogon.exe	56
PID 2872 wrote to memory of 2940	2872	winlogon.exe	56
PID 2872 wrote to memory of 2940	2872	winlogon.exe	56
PID 2892 wrote to memory of 1616	2892	WScript.exe	57
PID 2892 wrote to memory of 1616	2892	WScript.exe	57
PID 2892 wrote to memory of 1616	2892	WScript.exe	57
PID 1616 wrote to memory of 3000	1616	winlogon.exe	58
PID 1616 wrote to memory of 3000	1616	winlogon.exe	58
PID 1616 wrote to memory of 3000	1616	winlogon.exe	58
PID 1616 wrote to memory of 2336	1616	winlogon.exe	59
PID 1616 wrote to memory of 2336	1616	winlogon.exe	59
PID 1616 wrote to memory of 2336	1616	winlogon.exe	59
PID 3000 wrote to memory of 1832	3000	WScript.exe	60
PID 3000 wrote to memory of 1832	3000	WScript.exe	60
PID 3000 wrote to memory of 1832	3000	WScript.exe	60
PID 1832 wrote to memory of 2312	1832	winlogon.exe	61

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe
"C:\Users\Admin\AppData\Local\Temp\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\xpsrchvw\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\pcwum\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wmsetup\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
  "C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1480
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27aeb5bc-9e4c-4f08-9ff5-4ecfbb478c69.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
      C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af47f77f-f187-4008-a2c1-d8a37667d9de.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34064e57-dd43-4231-803d-cfafc0ea5f05.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b288990-2311-471e-b647-e481fcb49d7f.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\559c2a62-5043-467e-b000-6e49539f03d4.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6131b688-7cf3-4782-9674-6dabbbf0b5be.vbs"
        13⤵
        
        PID:2312
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90679dd4-97c0-4410-9a8d-72ea6a3ce45b.vbs"
        15⤵
        
        PID:1164
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be7d290d-46a9-479f-be2b-dc14ac6803e1.vbs"
        17⤵
        
        PID:2440
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\315866cd-06ad-40b6-bad1-3d69d9872f77.vbs"
        19⤵
        
        PID:1680
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23e79b18-d68d-40c4-8912-707912e8a14d.vbs"
        21⤵
        
        PID:764
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44309ad1-c3ad-4b83-ac68-5f7b50a36e97.vbs"
        23⤵
        
        PID:2776
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63f42a9d-cb93-409d-bf95-767d20afc658.vbs"
        25⤵
        
        PID:2036
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14756f9a-41da-4c65-b0c6-68c45cb67ca2.vbs"
        27⤵
        
        PID:2980
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b8b26ad-489b-4d34-8e3f-3ef8b2a3207a.vbs"
        29⤵
        
        PID:1960
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        
        C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe
        30⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce52aa07-eb48-48a2-be17-16b187bdfc68.vbs"
        31⤵
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b88aa86-5610-447b-9069-310ccffb87ac.vbs"
        31⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e059d537-bff7-42ca-9b8b-ade425c6cb8a.vbs"
        29⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2c5a181-fece-46ca-945d-14ec1734dab9.vbs"
        27⤵
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082d93f9-7dc0-4d31-afcf-110e9c9accd1.vbs"
        25⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba64873f-ef3b-4e57-a6d8-b1b4f8fac077.vbs"
        23⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dd52983-9b47-4d1b-a7ee-db4ec4e5a675.vbs"
        21⤵
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3604ef2f-6091-4c61-8677-bf7e22bc1cc8.vbs"
        19⤵
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\587f363d-fd1a-41ec-ae63-3b3eeb95a3df.vbs"
        17⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\252eeebe-535f-4a46-b18c-523edf07475b.vbs"
        15⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd60b3ce-766a-4bdd-b5d4-21b949449738.vbs"
        13⤵
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f05a2f-9e48-4a8f-b953-684bf1ecaab3.vbs"
        11⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6331993-3ce8-4daf-bf28-ff621867cc2e.vbs"
        9⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2208ebba-93eb-4750-ac7a-c1dee2de4c6f.vbs"
        7⤵
        
        PID:3044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\196f9dcf-e311-44b3-bbcb-aac77f0d83d7.vbs"
        5⤵
        
        PID:1716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6e6922-69b7-4eb1-9d75-88c0075d7f65.vbs"
    3⤵
    PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\xpsrchvw\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\pcwum\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\wmsetup\77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\082d93f9-7dc0-4d31-afcf-110e9c9accd1.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\14756f9a-41da-4c65-b0c6-68c45cb67ca2.vbs

Filesize
739B

MD5
ee41d6f9b05d47452cce25718335e9f6

SHA1
2c9975cefe473c5cd65e5d0a2458817339d70ccc

SHA256
79d00abbe3ec7eba38b7f008293c0adcc747913bd4e76a530abb1e936bd19301

SHA512
574e4e13313c6ed0415c76c06b12e9d366f6f0c17011362972a422e5e4f54b2d4011531686dd4a87349fe6641d0c7b3ddec6f680f5848a658867c03edc731d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\196f9dcf-e311-44b3-bbcb-aac77f0d83d7.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\196f9dcf-e311-44b3-bbcb-aac77f0d83d7.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a6e6922-69b7-4eb1-9d75-88c0075d7f65.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2208ebba-93eb-4750-ac7a-c1dee2de4c6f.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\23e79b18-d68d-40c4-8912-707912e8a14d.vbs

Filesize
740B

MD5
fdbd94249d07e0030e81784b299d14e1

SHA1
55eb8a38cec41e08f35bff9068fbd3f7b2aa6a70

SHA256
366cca6ebb4cbc51653ef9376bb175134bf0cf9a87ddc4a6d6ea3bb293e26946

SHA512
65a25d0c8cc421502ea50112690662bf3cfecb1779f77dd73da4764139ba33fc4e1110663f1bc50c329629dd553cbb0461de1107e974a6298a370240522dc5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\252eeebe-535f-4a46-b18c-523edf07475b.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\27aeb5bc-9e4c-4f08-9ff5-4ecfbb478c69.vbs

Filesize
740B

MD5
d5d0d7e63852f691faca7bb9b5d46a68

SHA1
3e922eb83bc97fd44d99c228e1223a5a3612b4b4

SHA256
5b51faca7e17b7f0e90704259847e0e6a88f8456603203cf2e39ef1c0a686101

SHA512
26aa9fff674fb67acd7f000fefd2cce8abf831abcf4c35cdf802136642d763ad77eef09989e479c4db2438605bbc4540517b44e7ea8e34527d999c4388e25ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\313631cff684b7bd842a0d2c038c4bc2161afe50.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Users\Admin\AppData\Local\Temp\315866cd-06ad-40b6-bad1-3d69d9872f77.vbs

Filesize
740B

MD5
6a5b135e5f16522001238eab3ec0ba05

SHA1
0be30617e88997b1bf57bba2009afb1bebb02073

SHA256
d10892eafd33b4629664e7702dbf694898fdd92dd83edde63da51a09126cb4bd

SHA512
9d7293318ec94fda0616c99a0c617446c6a52a92351dddfdefaa0e4be5648f122ac370908c4e7f3f170cb80c690f33e41ab0998bd1a594199922e0cf24a06d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\34064e57-dd43-4231-803d-cfafc0ea5f05.vbs

Filesize
740B

MD5
11bc89ce2f0c330749caf4a14f7d2d24

SHA1
5d05da7f83b513bf3c0ff8370dfda3014021e13d

SHA256
105db66693e0f37b78ec4616132e8f498dd8d4284019192b262a8c11106842d5

SHA512
479672f42e74890d184c52af8b4e2f558b284ca5a2670235bc833d5b317ce50504758b02661d6b72c21c54433512454ce25084fbf8dd3c9835252adba3c45a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3604ef2f-6091-4c61-8677-bf7e22bc1cc8.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b288990-2311-471e-b647-e481fcb49d7f.vbs

Filesize
740B

MD5
e8d85e72f946116a7d8beccb9beaf9e6

SHA1
2df7264c7e62e7c5a0d0b3e55929d10d1f61f582

SHA256
d8207b570f3d2a153e205ca934cfefa83e7da954e6877f38708424c8c8437fbe

SHA512
b013febb02bd6569c8c0611d67b3746197318d794d18f4f9b6d21ba0c24dd20742c2802abc46836765c220cb1860bf4051df427f46fc6255f0c62222e827d594

Download Submit
C:\Users\Admin\AppData\Local\Temp\44309ad1-c3ad-4b83-ac68-5f7b50a36e97.vbs

Filesize
740B

MD5
a0ef5f69aa11cd84ec89534dc22fb2ff

SHA1
582394718795891c494552b876f39647d8611145

SHA256
d33b81b26d87d48c30647749c9abea5718f92f4dee23da6de3d44ea699ed1360

SHA512
6dad5e1ce5ca06e5964cf6f093bf8f7eb315f4af9b3ad76d9077e2e8b2303f3eb43a5b8b45a383ba41bf4f0d9a4ee8965c399bb26e12f81df9cd17d63a0a3e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dd52983-9b47-4d1b-a7ee-db4ec4e5a675.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\559c2a62-5043-467e-b000-6e49539f03d4.vbs

Filesize
740B

MD5
d3da47684bb625900f8710734f021c52

SHA1
a4f493ecd9280666cd697df05a6eb6544f949c3f

SHA256
2f24c95d4aed49ce61f1a941b9bd91eead5c66e7bd04007afe32e0e0104219e9

SHA512
a58abae8246ce22c5a0a8317e5c47a1311117e519433ff6f2fdd652933a2684f29923a374ae0a44f0c1b9dc5a9bd3c5078f4f54db50dafe16d3287937c59fc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\587f363d-fd1a-41ec-ae63-3b3eeb95a3df.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b88aa86-5610-447b-9069-310ccffb87ac.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6131b688-7cf3-4782-9674-6dabbbf0b5be.vbs

Filesize
740B

MD5
c7530bd87e0130dab43c966c0e389652

SHA1
286fce370f93a9b47c6857170913e64fc9145eb5

SHA256
356ec02c1d70dc353b297f246f2e413f88842ce0d3fd68f2e661017a0705974d

SHA512
fd358970c045eb76082c22c3b24ae8545b6ed33ba803c2afc7b17c1ce40c05de5582f5dd3105d62ad0ff9588f7780652a1c997dc23a67393a9965d9e6f0ba5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\63f42a9d-cb93-409d-bf95-767d20afc658.vbs

Filesize
740B

MD5
f21a1c677028b379163ba3bf9cfe96e8

SHA1
836d9e7e1e212d8249b34c9e2111a359071744b4

SHA256
013dafecff530eb6b7907d65978db1519d3b54f96a7dfd995fdac8d2f6ef47f0

SHA512
9cc1542017a2c7b66463a1e7f2720e321584c2bd036c99d2a84da67a8683e2cadbb90bad13decc6f79e44ab7631b6cebdce81ea4ccc16bf49a76573c31b446b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b8b26ad-489b-4d34-8e3f-3ef8b2a3207a.vbs

Filesize
740B

MD5
cc0d825a7a959980d889a82a32fe67e9

SHA1
c3d12022bf63d6c6f5cdb8816fa4fb6294999626

SHA256
804cafc0aeab01a98ee1421d53f2817a8103693e0c19805546179b71b194941b

SHA512
a9220ae7a9b51c87feeb24efc67982bb545705c24c7bc808f64add945b4e9fc200b100c13ace3e90e0fdb977abf947b36cafc371616be3a8dc90bad7b7a716c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\90679dd4-97c0-4410-9a8d-72ea6a3ce45b.vbs

Filesize
740B

MD5
1dfc612a4a4e0bd828f8b80b38dd5656

SHA1
e3857ec3eadb63d6ff689a0ba7151f69965df423

SHA256
db93819322e5ec87cbab562c746b0f380819227c9d84ca41660deea4cf4d665a

SHA512
334f7abecfa7c3490b805683617c29aff1baf2d2d2f6bcda658227245c8b5948623e2f9aa0906fc401e79fb608ceae03936aaae29efa801e240356eafa967a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\af47f77f-f187-4008-a2c1-d8a37667d9de.vbs

Filesize
739B

MD5
5d18eb316536e5813b1644087889f547

SHA1
c3d5c2a62e51d5fd4174f5fd50402dc3dd20deb1

SHA256
b9728364c71710d801771e9c93db7a3affb310f1d63a6a7966538a37f2bccaae

SHA512
1c80f93ac0451ce4415852fa69ea94afffb2c16495c465523c68442b630b3f0540e08c7e0e957771d10a26050d72af769524a81c976ee28c0448513da6975a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba64873f-ef3b-4e57-a6d8-b1b4f8fac077.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\be7d290d-46a9-479f-be2b-dc14ac6803e1.vbs

Filesize
740B

MD5
42471a132725125edf15f512252c8cee

SHA1
97a59071691588ce753f5bf77693ac456d7ebfd3

SHA256
c56318ccbb7512757fb18131768cb7afe14992835e5dd2cdf4a66a56534bede1

SHA512
a408e2f24ff360f4a647faf211e52b37672b3e1a30c1897c038c4e64a671e0b9bdf17673f3efdc5b6dff352dee8576f13c8ea6336049e488b90771deedf668f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce52aa07-eb48-48a2-be17-16b187bdfc68.vbs

Filesize
740B

MD5
9258ac06037b8b14cd833d9bcb27c515

SHA1
0abe11c693a12495dec036b7f75680b01e7467b7

SHA256
4c896b8f6983dd666594a3bca0a32de43385328680327e1cf01a8045ace89a2c

SHA512
8804a3126c5e829a280ee03134955fe1680d88906b55968fb04065d8a4784e1c47c2265524233b48baee1eaff461a7303a3ee691e66560518968ba6a4a343bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2c5a181-fece-46ca-945d-14ec1734dab9.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e059d537-bff7-42ca-9b8b-ade425c6cb8a.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6331993-3ce8-4daf-bf28-ff621867cc2e.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7f05a2f-9e48-4a8f-b953-684bf1ecaab3.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd60b3ce-766a-4bdd-b5d4-21b949449738.vbs

Filesize
516B

MD5
3ff675ee6da0c50643151edc4d97578c

SHA1
26d801482e90048bf1012e28f4c7f2c2ec0510e8

SHA256
0953942b0ef9ea4d50cba0bd3a919a844b437fe2095b3a2d0414c767b4f11176

SHA512
f01b0246627ff5a4f0cd51f59d53646652055c78d56fda9dddc24a0aaa78fbfcbe6cfe8c47c3c70bff9614def21372f4964098376ec4b3e80072bac7f10fbd4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9fd92e11e21bd5d35451a4550bce9ec2

SHA1
8bc6032af664e1e128cd9e942ef50e1b5d2bd1cd

SHA256
46aa991544f91747d65c7fe22bae2468a71b6a7557381828f1c671dea2fa4541

SHA512
4e6e45933bca525c5fd0af4494caf3efc33388343b1020b729687ab5762b15a6ff2529af9c3e0532410cc53dfaecbcdd11d19e04cfa48888a5a18f669e0d5852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9fd92e11e21bd5d35451a4550bce9ec2

SHA1
8bc6032af664e1e128cd9e942ef50e1b5d2bd1cd

SHA256
46aa991544f91747d65c7fe22bae2468a71b6a7557381828f1c671dea2fa4541

SHA512
4e6e45933bca525c5fd0af4494caf3efc33388343b1020b729687ab5762b15a6ff2529af9c3e0532410cc53dfaecbcdd11d19e04cfa48888a5a18f669e0d5852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9fd92e11e21bd5d35451a4550bce9ec2

SHA1
8bc6032af664e1e128cd9e942ef50e1b5d2bd1cd

SHA256
46aa991544f91747d65c7fe22bae2468a71b6a7557381828f1c671dea2fa4541

SHA512
4e6e45933bca525c5fd0af4494caf3efc33388343b1020b729687ab5762b15a6ff2529af9c3e0532410cc53dfaecbcdd11d19e04cfa48888a5a18f669e0d5852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9fd92e11e21bd5d35451a4550bce9ec2

SHA1
8bc6032af664e1e128cd9e942ef50e1b5d2bd1cd

SHA256
46aa991544f91747d65c7fe22bae2468a71b6a7557381828f1c671dea2fa4541

SHA512
4e6e45933bca525c5fd0af4494caf3efc33388343b1020b729687ab5762b15a6ff2529af9c3e0532410cc53dfaecbcdd11d19e04cfa48888a5a18f669e0d5852

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EVFGDJGUJVCPRMGJFBLV.temp

Filesize
7KB

MD5
9fd92e11e21bd5d35451a4550bce9ec2

SHA1
8bc6032af664e1e128cd9e942ef50e1b5d2bd1cd

SHA256
46aa991544f91747d65c7fe22bae2468a71b6a7557381828f1c671dea2fa4541

SHA512
4e6e45933bca525c5fd0af4494caf3efc33388343b1020b729687ab5762b15a6ff2529af9c3e0532410cc53dfaecbcdd11d19e04cfa48888a5a18f669e0d5852

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\api-ms-win-core-datetime-l1-1-0\winlogon.exe

Filesize
1.5MB

MD5
b4bed69bd458ec34c688802b7e6fcd3f

SHA1
60fb7059dda3204c201be73e202af11a180d07be

SHA256
37e90c0643217b863d10ba66a94661d4b201cfd5d59d0ef7fe5763df80d07bcb

SHA512
014e65663f39643aefdf05276cd0a6ea5744145f0f71c141cb91002f61deb8da68c07da44a637086e3f39a03268c461d30f023ca3648df3ede59d786d9764919

Download Submit
C:\Windows\System32\xpsrchvw\smss.exe

Filesize
1.5MB

MD5
fe4cdaa8bb823a19b57051a1a51824b4

SHA1
51e89aeb5373c875f87ce19fbfcbf2e8ff491379

SHA256
77d7ff82f0a21761549b9376647fc24fa6c7c58be56c81a3c6b46498b698529a

SHA512
a91f394221dbdf8fb553536c0a6817dd1bc3990bdf15c006e65509c3a5c091db70c684a308dbec33f37c9db95f76d12cf227dc01b8f41ff50e5dd8823407438c

Download Submit
memory/1096-15-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/1096-10-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1096-1-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1096-2-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1096-102-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1096-3-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1096-4-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1096-5-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1096-6-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1096-7-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1096-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/1096-9-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1096-11-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1096-13-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/1096-12-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1096-14-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1096-16-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/1096-65-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1096-57-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1096-17-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/1096-18-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/1096-56-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1096-42-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1096-20-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/1096-21-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/1096-0-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download
memory/1096-32-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1096-24-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1480-121-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1480-138-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-99-0x0000000000080000-0x00000000001FE000-memory.dmp

Filesize
1.5MB

Download
memory/1480-139-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-140-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-141-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-142-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-136-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-135-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-125-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1480-137-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1480-123-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1860-104-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1860-103-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1860-122-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1860-115-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1860-108-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/1860-124-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1860-120-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1860-92-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/1872-116-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/1872-113-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/1872-106-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-112-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-119-0x000000000297B000-0x00000000029E2000-memory.dmp

Filesize
412KB

Download
memory/2992-118-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3016-109-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/3016-105-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-111-0x000000000276B000-0x00000000027D2000-memory.dmp

Filesize
412KB

Download
memory/3036-107-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-110-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/3036-117-0x000000000285B000-0x00000000028C2000-memory.dmp

Filesize
412KB

Download
memory/3036-100-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-96-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/3036-101-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/3036-114-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download