dcrat | cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Size

1.5MB
MD5

9113e61fefe783afc64305785fe21230
SHA1

0175acf449d5a5c337373aad116391dbf1eb5bc1
SHA256

cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764
SHA512

eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2244	schtasks.exe
		832	schtasks.exe
		2456	schtasks.exe
		2492	schtasks.exe
		1760	schtasks.exe
		2596	schtasks.exe
		1952	schtasks.exe
		2640	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
		2488	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\", \"C:\\Windows\\System32\\hnetmon\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\", \"C:\\Windows\\System32\\hnetmon\\csrss.exe\", \"C:\\Documents and Settings\\System.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\", \"C:\\Windows\\System32\\hnetmon\\csrss.exe\", \"C:\\Documents and Settings\\System.exe\", \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\services.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\", \"C:\\Windows\\System32\\hnetmon\\csrss.exe\", \"C:\\Documents and Settings\\System.exe\", \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\", \"C:\\Windows\\System32\\hnetmon\\csrss.exe\", \"C:\\Documents and Settings\\System.exe\", \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\System32\\gameux\\smss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Windows\\System32\\vbscript\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2584	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2584	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	services.exe
528	services.exe
1676	services.exe
2656	services.exe
3068	services.exe
1904	services.exe
2268	services.exe
928	services.exe
1260	services.exe
2680	services.exe
1964	services.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764 = "\"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\hnetmon\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Documents and Settings\\System.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\gameux\\smss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764 = "\"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\hnetmon\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\services.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Documents and Settings\\System.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\4a649302-488a-11ee-87ae-f7238ff672e7\\services.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\gameux\\smss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\vbscript\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\vbscript\\csrss.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\System.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\vbscript\886983d96e3d3e	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\hnetmon\csrss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\vbscript\csrss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\hnetmon\RCX9B6.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\hnetmon\csrss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\vbscript\csrss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\gameux\smss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\gameux\69ddcba757bf72	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\vbscript\RCX35D.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\gameux\RCX12DE.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\gameux\smss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\hnetmon\886983d96e3d3e	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\886983d96e3d3e	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCX7A3.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX10CB.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\27d1bcfc3c54e0	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2244	schtasks.exe
1952	schtasks.exe
2640	schtasks.exe
2456	schtasks.exe
2492	schtasks.exe
1760	schtasks.exe
832	schtasks.exe
2488	schtasks.exe
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
680	powershell.exe
2560	powershell.exe
2744	powershell.exe
2060	powershell.exe
372	powershell.exe
2500	powershell.exe
2756	powershell.exe
2980	powershell.exe
2128	powershell.exe
1928	powershell.exe
2436	services.exe
2436	services.exe
2436	services.exe
2436	services.exe
2436	services.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2436	services.exe
Token: SeDebugPrivilege	528	services.exe
Token: SeDebugPrivilege	1676	services.exe
Token: SeDebugPrivilege	2656	services.exe
Token: SeDebugPrivilege	3068	services.exe
Token: SeDebugPrivilege	1904	services.exe
Token: SeDebugPrivilege	2268	services.exe
Token: SeDebugPrivilege	928	services.exe
Token: SeDebugPrivilege	1260	services.exe
Token: SeDebugPrivilege	2680	services.exe
Token: SeDebugPrivilege	1964	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 372	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	40
PID 2200 wrote to memory of 372	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	40
PID 2200 wrote to memory of 372	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	40
PID 2200 wrote to memory of 680	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	41
PID 2200 wrote to memory of 680	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	41
PID 2200 wrote to memory of 680	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	41
PID 2200 wrote to memory of 2500	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	43
PID 2200 wrote to memory of 2500	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	43
PID 2200 wrote to memory of 2500	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	43
PID 2200 wrote to memory of 2560	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	44
PID 2200 wrote to memory of 2560	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	44
PID 2200 wrote to memory of 2560	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	44
PID 2200 wrote to memory of 2756	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	45
PID 2200 wrote to memory of 2756	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	45
PID 2200 wrote to memory of 2756	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	45
PID 2200 wrote to memory of 2744	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	50
PID 2200 wrote to memory of 2744	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	50
PID 2200 wrote to memory of 2744	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	50
PID 2200 wrote to memory of 2128	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	49
PID 2200 wrote to memory of 2128	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	49
PID 2200 wrote to memory of 2128	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	49
PID 2200 wrote to memory of 2060	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	47
PID 2200 wrote to memory of 2060	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	47
PID 2200 wrote to memory of 2060	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	47
PID 2200 wrote to memory of 2980	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	48
PID 2200 wrote to memory of 2980	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	48
PID 2200 wrote to memory of 2980	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	48
PID 2200 wrote to memory of 1928	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	51
PID 2200 wrote to memory of 1928	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	51
PID 2200 wrote to memory of 1928	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	51
PID 2200 wrote to memory of 1816	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	60
PID 2200 wrote to memory of 1816	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	60
PID 2200 wrote to memory of 1816	2200	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	60
PID 1816 wrote to memory of 1604	1816	cmd.exe	62
PID 1816 wrote to memory of 1604	1816	cmd.exe	62
PID 1816 wrote to memory of 1604	1816	cmd.exe	62
PID 1816 wrote to memory of 2436	1816	cmd.exe	63
PID 1816 wrote to memory of 2436	1816	cmd.exe	63
PID 1816 wrote to memory of 2436	1816	cmd.exe	63
PID 2436 wrote to memory of 1636	2436	services.exe	64
PID 2436 wrote to memory of 1636	2436	services.exe	64
PID 2436 wrote to memory of 1636	2436	services.exe	64
PID 2436 wrote to memory of 1628	2436	services.exe	65
PID 2436 wrote to memory of 1628	2436	services.exe	65
PID 2436 wrote to memory of 1628	2436	services.exe	65
PID 1636 wrote to memory of 528	1636	WScript.exe	66
PID 1636 wrote to memory of 528	1636	WScript.exe	66
PID 1636 wrote to memory of 528	1636	WScript.exe	66
PID 528 wrote to memory of 2224	528	services.exe	67
PID 528 wrote to memory of 2224	528	services.exe	67
PID 528 wrote to memory of 2224	528	services.exe	67
PID 528 wrote to memory of 2152	528	services.exe	68
PID 528 wrote to memory of 2152	528	services.exe	68
PID 528 wrote to memory of 2152	528	services.exe	68
PID 2224 wrote to memory of 1676	2224	WScript.exe	69
PID 2224 wrote to memory of 1676	2224	WScript.exe	69
PID 2224 wrote to memory of 1676	2224	WScript.exe	69
PID 1676 wrote to memory of 2240	1676	services.exe	70
PID 1676 wrote to memory of 2240	1676	services.exe	70
PID 1676 wrote to memory of 2240	1676	services.exe	70
PID 1676 wrote to memory of 2548	1676	services.exe	71
PID 1676 wrote to memory of 2548	1676	services.exe	71
PID 1676 wrote to memory of 2548	1676	services.exe	71
PID 2240 wrote to memory of 2656	2240	WScript.exe	72

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
"C:\Users\Admin\AppData\Local\Temp\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vbscript\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Admin\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\System.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\hnetmon\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\gameux\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7qvkw9e47R.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1604
- - C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
    "C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2436
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f57ccf51-2387-4a6f-afaa-53ca88493117.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87286aae-d769-4fcc-aae0-bf80c4fa656e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8d8ef5c-4ef6-43db-8dde-f3b1f2bd786d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b7f8b26-5ab7-4905-9708-42b61795cb57.vbs"
        10⤵
        
        PID:436
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce549af3-2181-47e5-9083-587ab940ce0a.vbs"
        12⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf5891f-7abe-41ef-8605-013292469109.vbs"
        12⤵
        
        PID:1156
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5735600e-7fca-4793-b71f-c301719d0fab.vbs"
        14⤵
        
        PID:1216
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a125014-187e-46d6-badf-faffe53a50c5.vbs"
        16⤵
        
        PID:1656
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a450e72a-92d3-46a6-af2f-2878006eff5d.vbs"
        18⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acdb6c94-bb63-47c0-8a61-2be9ee68a61d.vbs"
        18⤵
        
        PID:1744
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e25eeb04-c8ff-47ec-96fa-9739628c6504.vbs"
        20⤵
        
        PID:2000
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be91e6af-61af-42df-a0b3-b760143066c4.vbs"
        22⤵
        
        PID:1900
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        
        C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c19eedc-ba97-4740-b626-002e6db4ed95.vbs"
        24⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc3f6a3a-0812-4509-9a47-368b4917b33b.vbs"
        24⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fea861c0-9dbe-46bf-9d1b-8c0c6150a5b9.vbs"
        22⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7b367f-2d16-4c67-88eb-41dcc705fc0a.vbs"
        20⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ea8ae41-f8ae-4132-8aba-db74e3d9c85e.vbs"
        16⤵
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d291f30-a06c-4950-bdee-bf1a09043c3f.vbs"
        14⤵
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a36e9cb-080a-4594-bad7-cf3d4966725a.vbs"
        10⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95279b1d-bc73-4556-82d7-cd9b8b99769f.vbs"
        8⤵
        
        PID:2548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330eb4b4-da61-47c2-9d22-21e1008b4abc.vbs"
        6⤵
        
        PID:2152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dc0f5b5-3e57-477b-88fe-06b112294d67.vbs"
      4⤵
      PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764" /sc ONLOGON /tr "'C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\vbscript\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Admin\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\hnetmon\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\gameux\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Recovery\4a649302-488a-11ee-87ae-f7238ff672e7\services.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d7b367f-2d16-4c67-88eb-41dcc705fc0a.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dc0f5b5-3e57-477b-88fe-06b112294d67.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bf5891f-7abe-41ef-8605-013292469109.vbs

Filesize
737B

MD5
9408d9731704d693f8c0c65267ef951b

SHA1
04bf9d5e6d60f4fb06484fd2efc73c2f0f518eac

SHA256
c8428272b5db49b66759e20fb5cff1f8d299b30241172b6c4a5ef19c399f8a52

SHA512
568bbe3df7857c3729f9af20816c2844f19f744005124753541d01ee92c11a4465950e112f68d35ef048de22a16897795ad3f3b03cf5bf5d1b2a36cfc6da6a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\330eb4b4-da61-47c2-9d22-21e1008b4abc.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\330eb4b4-da61-47c2-9d22-21e1008b4abc.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c19eedc-ba97-4740-b626-002e6db4ed95.vbs

Filesize
737B

MD5
9f06b47a2d423ca0c73db798110edb75

SHA1
ab0509f7160dfe6b89c779019e0442eab5d6e938

SHA256
e297ec48535ac31da71e472ad775f9b27957531bd21c394cfc80bcaf6d72d687

SHA512
2b1974e5fa37b75442e9a6ada830b0846fc20157f7f40598f1f5b9f72d54d89a3a5d156f8801de62f244a456c706e4340299832e4727b118bbd8055161c77153

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a36e9cb-080a-4594-bad7-cf3d4966725a.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\5735600e-7fca-4793-b71f-c301719d0fab.vbs

Filesize
737B

MD5
0618b6f209c8ebb00c0c11308f47f26d

SHA1
cd0ea98f254e6865f3514d088e3cb368ba596ad7

SHA256
09347f48920de3bb0789e9242953e86a37b2002626da0ae17c07014c1d0f480e

SHA512
a5f46ed8c320dc4cc66671c5d3db3435298fcbe992fcb2c0c5efef8e197d9666861b7039cecfae9a7aa79bb6d2e06e8023682294ff104ae500169b4da74c29f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b7f8b26-5ab7-4905-9708-42b61795cb57.vbs

Filesize
737B

MD5
b006627793a3a1253be26f16c98ad87e

SHA1
3b1382384dc2fcd15f32425d28d5952ceddc673f

SHA256
bcf09f55820ceb473a6080dc0c018fdc5303619cd2f83144c635a5d5b6852e0c

SHA512
a44bb0fae3385bdc33caab20e4d060904a10640cd691eee3478eb77d217d794a21e731546e8537805bafed97fcf358e865b0e696c0bcf654c7b1b384026ca187

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ea8ae41-f8ae-4132-8aba-db74e3d9c85e.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a125014-187e-46d6-badf-faffe53a50c5.vbs

Filesize
737B

MD5
2d739556628868fccbbceb7154da823a

SHA1
303532e69515111eca866b752943e55ba1eeedaf

SHA256
f28e6b44fbd2b36e1b056fe9af2ca4f98749866a1380e2f9295e7113af3901d8

SHA512
4faf48ded614f0653b25023541c63f38399a7c6279050d0c5339ecc840c02a024cde7af69476541318f3f69bb418052bbf5cdd0834fda7a86bcb47c1a07d62da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7qvkw9e47R.bat

Filesize
225B

MD5
544c63b0a5fbc7213ad9f6c4b378219f

SHA1
12d0bff4d80e59226ac98db807b0a07dc80c9414

SHA256
f2f0753ef3ccd2c077b3521b91b9a71bd795075478d60c5a66ae9bcdf0569a43

SHA512
307e4ee8fe398e73f0026bc335817d0dab5d516439f2dd23f9baadd7385cfd1cd73a97a23d31953f0763a77dad0017d0c8b8c213521a7dc251e5e5a6bd8a50cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\87286aae-d769-4fcc-aae0-bf80c4fa656e.vbs

Filesize
736B

MD5
cd93cb28ccd120c3d296c431b3f59da4

SHA1
1833303b8f1f4404bc1a7175949e55957a8f58fc

SHA256
621392eb280a5cab35ef0490d17d2149523bff062d960285575df1abd03003fd

SHA512
cb8a37bc6eeea4d2c4103b6d45a5a6ba0bb3983e1ef4d3832a097f39fc88fc07ade50f436926632a19a59c61685f480a56d9a5efea06c7aaba8922fb0aec4bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d291f30-a06c-4950-bdee-bf1a09043c3f.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\95279b1d-bc73-4556-82d7-cd9b8b99769f.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2dd5eb5960933237d60a1772bcadda7bf9389c3.exe

Filesize
1.5MB

MD5
921bd4e08b30310144c01da7b24a6971

SHA1
d2bb4fc359b4bc2d2a2e625eb30dad697fe438b5

SHA256
0240779e1c88e8bc7be3d2796e903e51967953f0c34628ac9437e08602bf14e0

SHA512
ffca7382f0b67a7956c0f06c4d09afc0177355de01bfb9e9b321606c314e7005d4178cddd39989b005cb7345b1267bd2200e7b4e1db46e655f3da29d7da1c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a450e72a-92d3-46a6-af2f-2878006eff5d.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\acdb6c94-bb63-47c0-8a61-2be9ee68a61d.vbs

Filesize
736B

MD5
f31e4d1ecf4b4167a295ad2ebb6671b2

SHA1
704ca5d7893e7c914f1d5437f3186a7c483b23fd

SHA256
bb8490bd97951e1e62096a100080ca4522ea0464072de0640086a4fbd0f8e345

SHA512
faa1f6d8a067bded3db831b7ae2be2bb400753f21ab5181b082ba9d7c73bb186a69ab1ad8cdc52d9734ece982d031f01ec791488e97f736ee38adeaf6d1154f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\be91e6af-61af-42df-a0b3-b760143066c4.vbs

Filesize
737B

MD5
5289ee356627ccc94c0d26abe720d93e

SHA1
7ce2f487cc2e604cb50d5c4b60c734f321118e05

SHA256
f802a4c4768a585bf4bbd7f871a29f58438080b94867c320d8698df392de651e

SHA512
dabd62c22c4a5b29d4c0046efa392de4ba1288786a9d5a669bb7aa1e58c2d0337ac432b08f7abe5ae2b56a3254251afa6b0874c820fefe4f113aaf0114296724

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8d8ef5c-4ef6-43db-8dde-f3b1f2bd786d.vbs

Filesize
737B

MD5
055667490c81d1a6db17a2926db95afc

SHA1
0f588038054dea3ab13dba55548e9608225489f2

SHA256
8aa894c650a1931e9674218a76ba76d82d8c4652ecbc83f1f069ae076714be88

SHA512
e3aa80a70f55e25fa57a87254db20a261d3e4578eca7a28054bf216cc6c63dae9650c558ca653f86db301abc1f5543f309ffb1b3df2df9c6fa665121d4fa4cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce549af3-2181-47e5-9083-587ab940ce0a.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc3f6a3a-0812-4509-9a47-368b4917b33b.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Local\Temp\e25eeb04-c8ff-47ec-96fa-9739628c6504.vbs

Filesize
737B

MD5
f8879752dfb5b4a6b6ff3f798a5ea5e1

SHA1
265bdfa6cb4b0d7597e693da45f9ccd6268e12b2

SHA256
9d2e5750f7e09248119e8151133b1a814402e35acaaafc4691df95597d2c7c9b

SHA512
fcf12f135098f4854ac3e64c6fe8b9abc5bd1141b63aa8dc7d631d6e4105c0cac0ab4c59bed5905f7a46287d902357f1462eff0a9a0471753902fade8400eb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f57ccf51-2387-4a6f-afaa-53ca88493117.vbs

Filesize
737B

MD5
a4a2822d13bfc54ff730dc5693d780a0

SHA1
e8f20b281686e0b776e4b93bffd437654a9f9b44

SHA256
493d0d1d3497b41decced195e226e1bb464e451992907f104c265994c90b072a

SHA512
336a5ef70ced52a1b0defb879796198364efb43928451e6e946c3c2714f4c0f2819a01a601f7cd6c997bac68e876ca695920e9f951c90a1cce8347c821aaefa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fea861c0-9dbe-46bf-9d1b-8c0c6150a5b9.vbs

Filesize
513B

MD5
41e61840cd88b6034b9d6dbadc3c4d6a

SHA1
1979a8f8950c1079ffae0c5a58cae2467c081e15

SHA256
bddfe3e7d8278e13b05c8de8c2f0620bcab59d6d5f4e1f76b2ef3c5397936f85

SHA512
d382dada3a0b7534454c085a4ff1e56bfcdeb738ba04fd0a603f4645ebd9998c734ea40171e2819f3cf1ee208072ac6ee0da467664f752b100ca307f36b56228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FIHGWODBWZKWZP28KE3.temp

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
893c52870d6e27cb515e1b771e4600ed

SHA1
3bb69984464127bf2bf96ad099cda7c9986da3cd

SHA256
81599dcef4a09d0291ff1897411e1e3ed489baa83a499a1d7b3d3492f6d5244c

SHA512
e1cfe2d68f48e2688807b7305c6a9139a773547208c0ef50cc162a1d20c4372c3fadf76cd779ef740478f239e8c4607bddb7b4613017b331da2c85348e7e67b6

Download Submit
C:\Windows\System32\hnetmon\csrss.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
memory/372-183-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/372-196-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/372-194-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/372-201-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/680-179-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/680-177-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/680-178-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/680-180-0x00000000023B0000-0x0000000002430000-memory.dmp

Filesize
512KB

Download
memory/680-190-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/680-195-0x00000000023BB000-0x0000000002422000-memory.dmp

Filesize
412KB

Download
memory/680-181-0x00000000023B0000-0x0000000002430000-memory.dmp

Filesize
512KB

Download
memory/680-184-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1928-199-0x000000000247B000-0x00000000024E2000-memory.dmp

Filesize
412KB

Download
memory/1928-193-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1928-185-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2128-192-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2200-27-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-14-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2200-1-0x0000000001150000-0x00000000012CE000-memory.dmp

Filesize
1.5MB

Download
memory/2200-2-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-3-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2200-4-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2200-5-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2200-6-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2200-0-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-7-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2200-34-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-167-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-129-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-112-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-104-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-91-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-90-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-81-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-80-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-64-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-65-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-50-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-8-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2200-9-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2200-10-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-26-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-25-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-22-0x0000000001100000-0x0000000001108000-memory.dmp

Filesize
32KB

Download
memory/2200-21-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/2200-19-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/2200-18-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2200-17-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2200-16-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/2200-15-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2200-46-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2200-13-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2200-12-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2200-11-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2500-182-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2744-187-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-186-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-198-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/2744-191-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2756-202-0x00000000028AB000-0x0000000002912000-memory.dmp

Filesize
412KB

Download
memory/2756-197-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2756-188-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-189-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-200-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download