dcrat | 037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9b

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Size

4.9MB
MD5

10f3103c215eedcf2d565af9f05bab30
SHA1

72bb830358a487788941037e0ad611b528480736
SHA256

037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9b
SHA512

9134c6da84497f9be241df7ecb15e0285eaff148f191a432690d3fdac844824bee5ca02076255097bd807622b1cbee9fd27b85f34969b1efc6b003d794b2f82e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2632	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2788-3-0x000000001AB20000-0x000000001AC4E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
2168	powershell.exe
1400	powershell.exe
2256	powershell.exe
2432	powershell.exe
2768	powershell.exe
2272	powershell.exe
2216	powershell.exe
2548	powershell.exe
2264	powershell.exe
2336	powershell.exe
2052	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1232	dllhost.exe
2224	dllhost.exe
2300	dllhost.exe
2744	dllhost.exe
1484	dllhost.exe
2252	dllhost.exe
2456	dllhost.exe
2240	dllhost.exe
1084	dllhost.exe
1036	dllhost.exe
1576	dllhost.exe
980	dllhost.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\27d1bcfc3c54e0	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files\DVD Maker\it-IT\services.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX7D7C.tmp	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files\Windows Portable Devices\1610b97d3ab4a7	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCX8202.tmp	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\services.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files\DVD Maker\it-IT\c5b4cb5e9653cc	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX8406.tmp	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX7975.tmp	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Characters\dllhost.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Windows\Web\Wallpaper\Characters\5940a34987c991	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Windows\Registration\CRMLog\csrss.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File created	C:\Windows\Registration\CRMLog\886983d96e3d3e	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\RCX7B79.tmp	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\dllhost.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX7FFE.tmp	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
File opened for modification	C:\Windows\Registration\CRMLog\csrss.exe	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
1940	schtasks.exe
1780	schtasks.exe
1232	schtasks.exe
2828	schtasks.exe
2936	schtasks.exe
2244	schtasks.exe
592	schtasks.exe
1844	schtasks.exe
1572	schtasks.exe
3000	schtasks.exe
1072	schtasks.exe
2960	schtasks.exe
2588	schtasks.exe
2672	schtasks.exe
2380	schtasks.exe
2996	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
2432	powershell.exe
2336	powershell.exe
2052	powershell.exe
972	powershell.exe
2168	powershell.exe
2256	powershell.exe
2272	powershell.exe
2548	powershell.exe
2216	powershell.exe
2768	powershell.exe
2264	powershell.exe
1400	powershell.exe
1232	dllhost.exe
2224	dllhost.exe
2300	dllhost.exe
2744	dllhost.exe
1484	dllhost.exe
2252	dllhost.exe
2456	dllhost.exe
2240	dllhost.exe
1084	dllhost.exe
1036	dllhost.exe
1576	dllhost.exe
980	dllhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1232	dllhost.exe
Token: SeDebugPrivilege	2224	dllhost.exe
Token: SeDebugPrivilege	2300	dllhost.exe
Token: SeDebugPrivilege	2744	dllhost.exe
Token: SeDebugPrivilege	1484	dllhost.exe
Token: SeDebugPrivilege	2252	dllhost.exe
Token: SeDebugPrivilege	2456	dllhost.exe
Token: SeDebugPrivilege	2240	dllhost.exe
Token: SeDebugPrivilege	1084	dllhost.exe
Token: SeDebugPrivilege	1036	dllhost.exe
Token: SeDebugPrivilege	1576	dllhost.exe
Token: SeDebugPrivilege	980	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2768	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	49
PID 2788 wrote to memory of 2768	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	49
PID 2788 wrote to memory of 2768	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	49
PID 2788 wrote to memory of 2272	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	50
PID 2788 wrote to memory of 2272	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	50
PID 2788 wrote to memory of 2272	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	50
PID 2788 wrote to memory of 2264	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	51
PID 2788 wrote to memory of 2264	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	51
PID 2788 wrote to memory of 2264	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	51
PID 2788 wrote to memory of 2548	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	52
PID 2788 wrote to memory of 2548	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	52
PID 2788 wrote to memory of 2548	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	52
PID 2788 wrote to memory of 972	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	54
PID 2788 wrote to memory of 972	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	54
PID 2788 wrote to memory of 972	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	54
PID 2788 wrote to memory of 2216	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	55
PID 2788 wrote to memory of 2216	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	55
PID 2788 wrote to memory of 2216	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	55
PID 2788 wrote to memory of 2052	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	56
PID 2788 wrote to memory of 2052	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	56
PID 2788 wrote to memory of 2052	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	56
PID 2788 wrote to memory of 2432	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	58
PID 2788 wrote to memory of 2432	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	58
PID 2788 wrote to memory of 2432	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	58
PID 2788 wrote to memory of 2256	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	59
PID 2788 wrote to memory of 2256	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	59
PID 2788 wrote to memory of 2256	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	59
PID 2788 wrote to memory of 2168	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	62
PID 2788 wrote to memory of 2168	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	62
PID 2788 wrote to memory of 2168	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	62
PID 2788 wrote to memory of 1400	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	64
PID 2788 wrote to memory of 1400	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	64
PID 2788 wrote to memory of 1400	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	64
PID 2788 wrote to memory of 2336	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	65
PID 2788 wrote to memory of 2336	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	65
PID 2788 wrote to memory of 2336	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	65
PID 2788 wrote to memory of 696	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	73
PID 2788 wrote to memory of 696	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	73
PID 2788 wrote to memory of 696	2788	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe	73
PID 696 wrote to memory of 2524	696	cmd.exe	75
PID 696 wrote to memory of 2524	696	cmd.exe	75
PID 696 wrote to memory of 2524	696	cmd.exe	75
PID 696 wrote to memory of 1232	696	cmd.exe	76
PID 696 wrote to memory of 1232	696	cmd.exe	76
PID 696 wrote to memory of 1232	696	cmd.exe	76
PID 1232 wrote to memory of 2032	1232	dllhost.exe	77
PID 1232 wrote to memory of 2032	1232	dllhost.exe	77
PID 1232 wrote to memory of 2032	1232	dllhost.exe	77
PID 1232 wrote to memory of 1504	1232	dllhost.exe	78
PID 1232 wrote to memory of 1504	1232	dllhost.exe	78
PID 1232 wrote to memory of 1504	1232	dllhost.exe	78
PID 2032 wrote to memory of 2224	2032	WScript.exe	80
PID 2032 wrote to memory of 2224	2032	WScript.exe	80
PID 2032 wrote to memory of 2224	2032	WScript.exe	80
PID 2224 wrote to memory of 1540	2224	dllhost.exe	81
PID 2224 wrote to memory of 1540	2224	dllhost.exe	81
PID 2224 wrote to memory of 1540	2224	dllhost.exe	81
PID 2224 wrote to memory of 1964	2224	dllhost.exe	82
PID 2224 wrote to memory of 1964	2224	dllhost.exe	82
PID 2224 wrote to memory of 1964	2224	dllhost.exe	82
PID 1540 wrote to memory of 2300	1540	WScript.exe	83
PID 1540 wrote to memory of 2300	1540	WScript.exe	83
PID 1540 wrote to memory of 2300	1540	WScript.exe	83
PID 2300 wrote to memory of 1464	2300	dllhost.exe	84

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
"C:\Users\Admin\AppData\Local\Temp\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mcoqnN0SPi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2524
- - C:\Windows\Web\Wallpaper\Characters\dllhost.exe
    "C:\Windows\Web\Wallpaper\Characters\dllhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1232
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbb244ca-7610-413d-b93f-b708bd9eebca.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2224
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\984ba35d-58fe-48c9-886d-fc1d8d05813c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdd1c694-524f-40c0-b358-3822e8c98eaf.vbs"
        8⤵
        
        PID:1464
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63efe92a-2937-4d93-b3b5-a06e7c4bf5e3.vbs"
        10⤵
        
        PID:284
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\005279aa-ee79-45b4-82cf-815583bfc205.vbs"
        12⤵
        
        PID:2644
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76decfcc-c979-42c3-aa9c-4a9bce0fe046.vbs"
        14⤵
        
        PID:1520
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5f594c-bf24-42e9-8138-10830d3670a5.vbs"
        16⤵
        
        PID:1396
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a72d60-cf4e-4231-b86b-12ab28090642.vbs"
        18⤵
        
        PID:2832
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34933b78-7e24-47af-a1c7-ec6fc88f7e3f.vbs"
        20⤵
        
        PID:1168
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44fc6467-3cdd-4cd2-a062-232225a8dec3.vbs"
        22⤵
        
        PID:1544
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e92f54c2-7220-4de4-8112-168ba87ef376.vbs"
        24⤵
        
        PID:2480
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        
        C:\Windows\Web\Wallpaper\Characters\dllhost.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84f0aad7-d935-46f8-ab9d-db34244f889a.vbs"
        26⤵
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14538f5f-1d2a-47c5-b4f1-cbf4dd570a46.vbs"
        26⤵
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50e491b3-03a0-4a2a-8d28-a4f7dffdbcc9.vbs"
        24⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ddf8c04-4425-4808-b3f6-f5977de94a54.vbs"
        22⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137762d1-aa93-48d3-aaa8-93ede7f39cb5.vbs"
        20⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5d61d00-0ae9-4b8c-bc9a-0347b5768851.vbs"
        18⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da40323-7ef2-49a1-b879-9a5473bc8a88.vbs"
        16⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b799492-2761-4cc3-9561-1cc10c7fef7d.vbs"
        14⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5472dfc8-09b1-42b0-a55d-a3241e36cc64.vbs"
        12⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e14b9f-96e0-4d8a-b1de-650f8b104c43.vbs"
        10⤵
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\985a36ad-8c0e-43c2-93aa-2ec95d2051ab.vbs"
        8⤵
        
        PID:2168
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\022ffd18-cec2-4c3f-9788-f626296397cf.vbs"
        6⤵
        
        PID:1964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2c81125-8ce3-4e95-80e7-fe2525ca04b7.vbs"
      4⤵
      PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Characters\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Characters\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\it-IT\services.exe

Filesize
4.9MB

MD5
10f3103c215eedcf2d565af9f05bab30

SHA1
72bb830358a487788941037e0ad611b528480736

SHA256
037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9b

SHA512
9134c6da84497f9be241df7ecb15e0285eaff148f191a432690d3fdac844824bee5ca02076255097bd807622b1cbee9fd27b85f34969b1efc6b003d794b2f82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\005279aa-ee79-45b4-82cf-815583bfc205.vbs

Filesize
723B

MD5
2cd9e43beff8a20bcf54d38ade6fe1df

SHA1
5c69cd033134f919c6c90f5abf7c430ee71f73f4

SHA256
9f271c1d07137cd226baa181d0802c3b5e6fdb10cc366ff11c60dbcc6fb0eb05

SHA512
886e1ddce1d793a8954ace148e06ac68ae8ffc8087f80092b71921fb8ca0e26e97451ac84d2b9d90f0947ddeb2e40c40b3440d08308f00c468c51aeb72aac7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\34933b78-7e24-47af-a1c7-ec6fc88f7e3f.vbs

Filesize
723B

MD5
00b21cac88b1931d9f1b41d2dc27498a

SHA1
24459c28e6021dd9c1e4e8cfdb0703462d06fa8d

SHA256
b6cc47ea6bcc6eee8a2be8d1203d296177a0b6f73426df79945dc646a4e605fe

SHA512
756f9c089385df13e505cec026e345755a894327d31e23783e4464e149d45bf032e75627e27a9111530086b5797e6e681864b29bb8bf9f922652d7d25ff77492

Download Submit
C:\Users\Admin\AppData\Local\Temp\44fc6467-3cdd-4cd2-a062-232225a8dec3.vbs

Filesize
723B

MD5
b58b992c8886cd06515b65e6a9e0408d

SHA1
524e9f649032e51f758117ecfd06a41fb4016291

SHA256
0bcdfb287562ccbe2a5a408bdc51670399f6d61dc8e30bbd9532d244264364f1

SHA512
eea07b92cebde69a4608334c7ca57c62bcea4bfee8476a84f3a66cc3cf7c0c0d9f9431c9a9be09a9a17d949caf5e922578e79ff49a7f8c47e97d2d5624be5381

Download Submit
C:\Users\Admin\AppData\Local\Temp\63efe92a-2937-4d93-b3b5-a06e7c4bf5e3.vbs

Filesize
723B

MD5
847af2d4da1f400b3340e831e9add908

SHA1
8fed392573c4dae4c7d8c94ede1eea3114b26394

SHA256
2c714222e8360fab9be4fa93ef2f92ad7eb07f2468fc539bb738c8bc6c896d33

SHA512
7549daa9d2b05436dc5e739a047026a98c92b73d5f39f4bc77fef3726b6ad73b29068fd882cfd0589e545b4b65205876631a6c4363cda660507fe54c1f65ee10

Download Submit
C:\Users\Admin\AppData\Local\Temp\76decfcc-c979-42c3-aa9c-4a9bce0fe046.vbs

Filesize
723B

MD5
e41be87416b729f469bd28f7c82e4f55

SHA1
95923440a6d12424f099888963880a91f0c38d6b

SHA256
63c80a4fbcc41f60552a84e4a92502a76c39da8ded22d65bfb55f0910e5502c9

SHA512
48f1e43c0e8cf33c4a5bada843f24a427863e76df96b51f5e7096d7efd3894b44099a752a71ec0611394d40b2a1133bc5e404e58d7317e85ae43cd492aff3e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\79d45b28fbda4d55e38c5d8d61176c741160da19.exe

Filesize
4.9MB

MD5
88e92bfe617e244144eed35ac9a57dba

SHA1
d17543acd88870e459b737080a9fbef0affaa6e4

SHA256
07cb28ecc3136e1c94e895a94717f858bc1298bd9e0dfd9f7c548b12c3d43e5f

SHA512
6c007ad88f3c4bece91f6503f00c790fa26d1a6b2174255939e0832e2df64c75bcaa99eeaf477d38f3c4102618a69ef5f4dece889406a3c625388d86f3d1d66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\84f0aad7-d935-46f8-ab9d-db34244f889a.vbs

Filesize
722B

MD5
f7e3149338af6f6e5905aeeb21a74928

SHA1
2b77f84f5f6fac5e05101810f0ec8210dc220900

SHA256
43d17b06f2e634c017357f13e327eefa5a0d6d1a881bbec3b305fe4545608bfd

SHA512
d910afa027580016b7446da97e2c1af050f9f2621178e8011450e50067b0bd59be3a3afab52fb3e7c3fb5e208556ac537d5447bc58b0c2c2a424682cbdb4373f

Download Submit
C:\Users\Admin\AppData\Local\Temp\984ba35d-58fe-48c9-886d-fc1d8d05813c.vbs

Filesize
723B

MD5
ba7294b8c16c5288a1f1b59384beab75

SHA1
99991b77563d470e93a71a56a9946825881f534a

SHA256
b7c1efdc4687c8a288e55c4ab345860836c00e0134fef9775874e9767d345550

SHA512
e7d1b4354bb8b1d173e6a57279a273c3f527e90d851e18c4d0f05bada0272df9d88b1e8748a1809da17c915fb80cfac365672c2f538058b6fe32236a7db2af67

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2c81125-8ce3-4e95-80e7-fe2525ca04b7.vbs

Filesize
499B

MD5
f55e58d35ea58f7225de7004148ddbcc

SHA1
ea4d568cf178923eafeeb25c540cea7d12c41bc6

SHA256
d5ce0065240a319a821de6adcac1e253ed0205ed78c65f5671aeda99eb25ec18

SHA512
ab7ed13d4aa87e4160aa6b89362bd75ac051d48ff62f916cf0565c353e0ed5058d61ec43afccefbbf64b5669884349d91215164e867eed78210bf556684f9324

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0a72d60-cf4e-4231-b86b-12ab28090642.vbs

Filesize
723B

MD5
74ac0a370266aace6f0f0407c5d981c6

SHA1
a354feab7dec443200fbb722fb08a07e4f875428

SHA256
d4d0de9c9bf4c2437d6c83c197a3f3976d95ccd7edfadecbaeea414f934c7476

SHA512
35667fd994586230c1edd22654c2a41643e82e65d1231be428ff481090a87b08f054da9198a1d61ad17b2615d5c33ee395f03a5e1e274fccaf3ec3ca33ac9ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbb244ca-7610-413d-b93f-b708bd9eebca.vbs

Filesize
723B

MD5
23699cb242a2a4d401bb757c4fc3be58

SHA1
252735bf7575366fe5f4b2c8bdf9d3218e08e806

SHA256
acc92a0520a80eaf10a3ff3e97ea46d1891c854fb0ab23809ef3bdb796b7ded1

SHA512
6c41479317c6279bb19e138d6cd38370bd0c240aba5b52bb0d336e2680000f5bbb2b70c584f7a9a0dabfd1a9582241ed7b0c8524650d2870e51e1b89d792ba55

Download Submit
C:\Users\Admin\AppData\Local\Temp\de5f594c-bf24-42e9-8138-10830d3670a5.vbs

Filesize
723B

MD5
43bcc635d4784e2b71e46dc44a2dc6c7

SHA1
ad6e2df13a76ae4c949c68264a6915552ad01f35

SHA256
b886880d3d0ac2ef29c5e3a3f0a9462a2a1599c4bd84d2fc39f15507321c5013

SHA512
11b3d76f4959fe2947b5b3e75d4c2c566a8704e8c8648760a29e1f44fe153d9f2b0eb6168ea259d72b3d8661dfe746d7a1bb336f0ecc521103a76256f22f70b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e92f54c2-7220-4de4-8112-168ba87ef376.vbs

Filesize
723B

MD5
092fa24b3a3d6f725ff74cb06bbf2309

SHA1
2ec3a41ed1f047b342586ddd60135002e6a68e2c

SHA256
5c6855501f57dce54d29efe495282a5e5d783411273109c064a3d67552b918f9

SHA512
75745af3743ac3b49ba117f924d21d286bfb4070fb3e1ca8011021ead8ef182c61400ca0423e741eeff53fc8be80288d81681ebd207eace561e84e5e9efc95f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdd1c694-524f-40c0-b358-3822e8c98eaf.vbs

Filesize
723B

MD5
290778ffa9de534ff793aafd236bd890

SHA1
70d36d3538c5bea0ce8f6abf4ab8eb846787b844

SHA256
fd55c10cb594aeebb3de500a19d5494139f73f8157516ca77f60c572e3291a11

SHA512
8144c1d417185c6c0bd6a4899f90f98dca06eeabd52a0a7e3739f2c136a912edb977dd175958a0a2f2895355cefac66c47d77e74fd2b79a782b358d120ec1300

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcoqnN0SPi.bat

Filesize
212B

MD5
6755e571d0c2eeb88f839879a4e9c362

SHA1
221300cbbbb4b6146f251f6c5ab727a978ecb464

SHA256
07d62d64e353a3c7137ea71dcaccd0623e1cb6136ae6038be4e25efa53fce8e6

SHA512
e94e425d6068a80283888b196af6d31115535c14d5fe20662034c9d75c59892a9084438a6815987e5b2a290f242728c57f739882b416c143cb88dc5d9a473b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB07B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c96e98cbd98538a2202fcdd22bd58e81

SHA1
182753860215dc7aa93df11554192064dededfb2

SHA256
5f9e534de21a94ad508a2b6df88b7fa6b683edeca4106d3f49a2a670707e6824

SHA512
2a57b2929d7a91370e2d6c35234d4ad053f8870d28478d6fabe4b58266e67e4ae6f2f687657df23df498d714a2fe1ec84d8b3d68925b74c5d89aafc3cec4458a

Download Submit
memory/1232-145-0x0000000000FD0000-0x00000000014C4000-memory.dmp

Filesize
5.0MB

Download
memory/1232-146-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/2224-160-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/2252-218-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2336-94-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2432-114-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2744-189-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2788-14-0x000000001ADE0000-0x000000001ADE8000-memory.dmp

Filesize
32KB

Download
memory/2788-15-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

Filesize
32KB

Download
memory/2788-9-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2788-8-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2788-13-0x000000001ACD0000-0x000000001ACDE000-memory.dmp

Filesize
56KB

Download
memory/2788-12-0x000000001ACC0000-0x000000001ACCE000-memory.dmp

Filesize
56KB

Download
memory/2788-11-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2788-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2788-1-0x00000000008E0000-0x0000000000DD4000-memory.dmp

Filesize
5.0MB

Download
memory/2788-16-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

Filesize
48KB

Download
memory/2788-130-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-7-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/2788-6-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2788-5-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2788-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2788-3-0x000000001AB20000-0x000000001AC4E000-memory.dmp

Filesize
1.2MB

Download
memory/2788-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-10-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download