dcrat | 9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Size

1.5MB
MD5

8261fc22f84b5aeed1dd90a21e189642
SHA1

14d5d5ab37929a700f93adfcb460da55b7409b34
SHA256

9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c
SHA512

f3c530c918c332a1cd21f9c9fb9593772616c9e90436ea6219296612c047a526c73326944f592f23c81cd2e8b4fa5168f52bf8c1f5133d0db03b5d9923179cec
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1356	schtasks.exe
		1416	schtasks.exe
		2144	schtasks.exe
		2976	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\Vss\Writers\101b941d020240		9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
		2616	schtasks.exe
		3056	schtasks.exe
		2588	schtasks.exe
		2136	schtasks.exe
		2908	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\", \"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\", \"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\", \"C:\\Windows\\System32\\tscfgwmi\\csrss.exe\", \"C:\\Windows\\System32\\wiaaut\\taskhost.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\", \"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\", \"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\", \"C:\\Windows\\System32\\tscfgwmi\\csrss.exe\", \"C:\\Windows\\System32\\wiaaut\\taskhost.exe\", \"C:\\Windows\\fveupdate\\explorer.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\", \"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\", \"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\", \"C:\\Windows\\System32\\tscfgwmi\\csrss.exe\", \"C:\\Windows\\System32\\wiaaut\\taskhost.exe\", \"C:\\Windows\\fveupdate\\explorer.exe\", \"C:\\Documents and Settings\\System.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\", \"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\", \"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\", \"C:\\Windows\\System32\\tscfgwmi\\csrss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\", \"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Vss\\Writers\\lsm.exe\", \"C:\\Windows\\System32\\NlsData0019\\services.exe\", \"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\", \"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\", \"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2720	schtasks.exe	30

UAC bypass 3 TTPs 57 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2348	powershell.exe
264	powershell.exe
828	powershell.exe
1040	powershell.exe
1748	powershell.exe
1952	powershell.exe
2336	powershell.exe
480	powershell.exe
568	powershell.exe
1824	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Executes dropped EXE 18 IoCs

pid	Process
1476	services.exe
2532	services.exe
2116	services.exe
1856	services.exe
552	services.exe
2256	services.exe
544	services.exe
1860	services.exe
2016	services.exe
2928	services.exe
1080	services.exe
2940	services.exe
2176	services.exe
1788	services.exe
1716	services.exe
716	services.exe
2796	services.exe
1040	services.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wiaaut\\taskhost.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Documents and Settings\\System.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Vss\\Writers\\lsm.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\tscfgwmi\\csrss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\fveupdate\\explorer.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Documents and Settings\\System.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\NlsData0019\\services.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\WPDShextAutoplay\\services.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\NlsData0019\\services.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\smss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\tscfgwmi\\csrss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wiaaut\\taskhost.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\fveupdate\\explorer.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Vss\\Writers\\lsm.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\accessibilitycpl\\csrss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\accessibilitycpl\886983d96e3d3e	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\tscfgwmi\886983d96e3d3e	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\wiaaut\b75386f1303e64	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\NlsData0019\RCX2290.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\NlsData0019\services.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\accessibilitycpl\RCX289B.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\accessibilitycpl\csrss.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\wiaaut\taskhost.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\WPDShextAutoplay\services.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\accessibilitycpl\csrss.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\wiaaut\taskhost.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\WPDShextAutoplay\c5b4cb5e9653cc	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\WPDShextAutoplay\RCX2494.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\tscfgwmi\RCX2A9F.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\tscfgwmi\csrss.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\wiaaut\RCX2D10.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\NlsData0019\c5b4cb5e9653cc	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\WPDShextAutoplay\services.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\tscfgwmi\csrss.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\NlsData0019\services.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\101b941d020240	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\fveupdate\explorer.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\fveupdate\7a0fd90576e088	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\Vss\Writers\RCX201F.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\fveupdate\RCX2F14.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\fveupdate\explorer.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\Vss\Writers\lsm.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\Vss\Writers\lsm.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe
2908	schtasks.exe
2588	schtasks.exe
1356	schtasks.exe
2136	schtasks.exe
2144	schtasks.exe
2616	schtasks.exe
3056	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
1952	powershell.exe
2348	powershell.exe
1748	powershell.exe
568	powershell.exe
1040	powershell.exe
264	powershell.exe
828	powershell.exe
480	powershell.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
1824	powershell.exe
2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2336	powershell.exe
1476	services.exe
1476	services.exe
1476	services.exe
1476	services.exe
1476	services.exe
1476	services.exe
1476	services.exe
1476	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2532	services.exe
2116	services.exe
2116	services.exe
2116	services.exe
2116	services.exe
2116	services.exe
2116	services.exe
2116	services.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1476	services.exe
Token: SeDebugPrivilege	2532	services.exe
Token: SeDebugPrivilege	2116	services.exe
Token: SeDebugPrivilege	1856	services.exe
Token: SeDebugPrivilege	552	services.exe
Token: SeDebugPrivilege	2256	services.exe
Token: SeDebugPrivilege	544	services.exe
Token: SeDebugPrivilege	1860	services.exe
Token: SeDebugPrivilege	2016	services.exe
Token: SeDebugPrivilege	2928	services.exe
Token: SeDebugPrivilege	1080	services.exe
Token: SeDebugPrivilege	2940	services.exe
Token: SeDebugPrivilege	2176	services.exe
Token: SeDebugPrivilege	1788	services.exe
Token: SeDebugPrivilege	1716	services.exe
Token: SeDebugPrivilege	716	services.exe
Token: SeDebugPrivilege	2796	services.exe
Token: SeDebugPrivilege	1040	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 568	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	40
PID 2256 wrote to memory of 568	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	40
PID 2256 wrote to memory of 568	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	40
PID 2256 wrote to memory of 264	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	41
PID 2256 wrote to memory of 264	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	41
PID 2256 wrote to memory of 264	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	41
PID 2256 wrote to memory of 480	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	42
PID 2256 wrote to memory of 480	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	42
PID 2256 wrote to memory of 480	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	42
PID 2256 wrote to memory of 1824	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	44
PID 2256 wrote to memory of 1824	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	44
PID 2256 wrote to memory of 1824	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	44
PID 2256 wrote to memory of 2336	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	47
PID 2256 wrote to memory of 2336	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	47
PID 2256 wrote to memory of 2336	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	47
PID 2256 wrote to memory of 828	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	48
PID 2256 wrote to memory of 828	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	48
PID 2256 wrote to memory of 828	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	48
PID 2256 wrote to memory of 1952	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	49
PID 2256 wrote to memory of 1952	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	49
PID 2256 wrote to memory of 1952	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	49
PID 2256 wrote to memory of 1748	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	51
PID 2256 wrote to memory of 1748	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	51
PID 2256 wrote to memory of 1748	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	51
PID 2256 wrote to memory of 1040	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	52
PID 2256 wrote to memory of 1040	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	52
PID 2256 wrote to memory of 1040	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	52
PID 2256 wrote to memory of 2348	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	54
PID 2256 wrote to memory of 2348	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	54
PID 2256 wrote to memory of 2348	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	54
PID 2256 wrote to memory of 1476	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	60
PID 2256 wrote to memory of 1476	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	60
PID 2256 wrote to memory of 1476	2256	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	60
PID 1476 wrote to memory of 2568	1476	services.exe	61
PID 1476 wrote to memory of 2568	1476	services.exe	61
PID 1476 wrote to memory of 2568	1476	services.exe	61
PID 1476 wrote to memory of 1416	1476	services.exe	62
PID 1476 wrote to memory of 1416	1476	services.exe	62
PID 1476 wrote to memory of 1416	1476	services.exe	62
PID 2568 wrote to memory of 2532	2568	WScript.exe	63
PID 2568 wrote to memory of 2532	2568	WScript.exe	63
PID 2568 wrote to memory of 2532	2568	WScript.exe	63
PID 2532 wrote to memory of 444	2532	services.exe	64
PID 2532 wrote to memory of 444	2532	services.exe	64
PID 2532 wrote to memory of 444	2532	services.exe	64
PID 2532 wrote to memory of 1056	2532	services.exe	65
PID 2532 wrote to memory of 1056	2532	services.exe	65
PID 2532 wrote to memory of 1056	2532	services.exe	65
PID 444 wrote to memory of 2116	444	WScript.exe	66
PID 444 wrote to memory of 2116	444	WScript.exe	66
PID 444 wrote to memory of 2116	444	WScript.exe	66
PID 2116 wrote to memory of 2024	2116	services.exe	67
PID 2116 wrote to memory of 2024	2116	services.exe	67
PID 2116 wrote to memory of 2024	2116	services.exe	67
PID 2116 wrote to memory of 2464	2116	services.exe	68
PID 2116 wrote to memory of 2464	2116	services.exe	68
PID 2116 wrote to memory of 2464	2116	services.exe	68
PID 2024 wrote to memory of 1856	2024	WScript.exe	69
PID 2024 wrote to memory of 1856	2024	WScript.exe	69
PID 2024 wrote to memory of 1856	2024	WScript.exe	69
PID 1856 wrote to memory of 896	1856	services.exe	70
PID 1856 wrote to memory of 896	1856	services.exe	70
PID 1856 wrote to memory of 896	1856	services.exe	70
PID 1856 wrote to memory of 2860	1856	services.exe	71

System policy modification 1 TTPs 57 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
"C:\Users\Admin\AppData\Local\Temp\9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData0019\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WPDShextAutoplay\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\accessibilitycpl\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tscfgwmi\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wiaaut\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fveupdate\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\NlsData0019\services.exe
  "C:\Windows\System32\NlsData0019\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\046d9712-4a42-49a5-bd84-a7ed10321e78.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\System32\NlsData0019\services.exe
      C:\Windows\System32\NlsData0019\services.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2532
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e52bc77-035a-4e4b-83f5-f6eb346c4e51.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c14a8a3-0f43-4dac-a83d-f73fd4104533.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef85ab7d-74f7-4563-951e-91e5eb668458.vbs"
        9⤵
        
        PID:896
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b9a911e-264e-4611-abdf-62380fca723f.vbs"
        11⤵
        
        PID:264
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed704654-667b-4d02-bacb-ca407b422495.vbs"
        13⤵
        
        PID:2900
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baa145b2-81c0-4d89-9101-d205a8bddd08.vbs"
        15⤵
        
        PID:2036
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bdf511c-0e61-4e68-9d07-cb4ef435affd.vbs"
        17⤵
        
        PID:2164
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcedd0ee-70fb-40a9-b225-12936bffa2f1.vbs"
        19⤵
        
        PID:1068
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\891b7320-aa4b-45da-8ea3-bc56e66f6ce3.vbs"
        21⤵
        
        PID:1916
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79eb15ef-b4af-44d7-b1db-67f6e04d89bf.vbs"
        23⤵
        
        PID:2448
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c30c7d-3f22-4955-8a33-685ac785b3c2.vbs"
        25⤵
        
        PID:2424
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcc106e9-04d1-4b3f-8816-0e5f561a2d68.vbs"
        27⤵
        
        PID:2432
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429dc427-730a-4f3a-9368-32b9234b97bc.vbs"
        29⤵
        
        PID:932
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        30⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee519b9-b952-4d58-a8f3-31c43ed74be9.vbs"
        31⤵
        
        PID:2140
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        32⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f598a6a5-2e45-44e4-82cf-822366dd8f95.vbs"
        33⤵
        
        PID:2456
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        34⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d008935c-51c0-42eb-8533-dbd14ee1f947.vbs"
        35⤵
        
        PID:620
        
        C:\Windows\System32\NlsData0019\services.exe
        
        C:\Windows\System32\NlsData0019\services.exe
        36⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32affd43-071a-469a-bbba-e856dadc7264.vbs"
        37⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b983b1-7bf9-42d9-b74f-67a40a045656.vbs"
        37⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfd5cc5d-8cfa-4293-8ca7-9e9adbd1b50c.vbs"
        35⤵
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26dff7bc-2205-4859-9938-04fb3633e333.vbs"
        33⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\093579c8-b36b-420e-a06b-8bd913fb0013.vbs"
        31⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e71036c-8041-492d-939d-c4f4e14158e1.vbs"
        29⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a50a3392-1f81-417d-9907-969299b79bbe.vbs"
        27⤵
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530ffa3e-7dab-48e5-9cd7-d9b76692f946.vbs"
        25⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c99740fe-6e08-4f18-8033-ce8f5daa36f9.vbs"
        23⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87f661bb-c32f-45bc-9421-0f67523c6998.vbs"
        21⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e751a19-41e1-4066-b21d-774a5959bc23.vbs"
        19⤵
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc7de0e-d8e5-4237-8818-baf170a6d6a9.vbs"
        17⤵
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bd92319-d172-4823-837f-42b8069d8033.vbs"
        15⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bf667d1-d350-4a6a-a704-65f51d47c99c.vbs"
        13⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f761c89b-37b1-4194-ac5b-1e9bc849c2f3.vbs"
        11⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\885a6e9c-dcdf-4b40-8ab7-f2256dfde757.vbs"
        9⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d528a1c-7a08-4d25-8134-9328d8aa87ee.vbs"
        7⤵
        
        PID:2464
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09ac542a-f435-49d2-9cc2-a58f75e2bdfe.vbs"
        5⤵
        
        PID:1056
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7649afc5-521b-46ee-84a3-3d2583a76f12.vbs"
    3⤵
    PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0019\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\WPDShextAutoplay\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\accessibilitycpl\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\tscfgwmi\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\wiaaut\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fveupdate\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Documents and Settings\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\046d9712-4a42-49a5-bd84-a7ed10321e78.vbs

Filesize
720B

MD5
c735a579119d2d26efdd85201733cc3b

SHA1
2df1fb2e7d014072e736e644f40c89db394e7def

SHA256
b38a9f37ed89807b0136cae94f16dbe44594bc5931de259bda19ba63e5c9408d

SHA512
144d2c6186fb9b273d49c57235ad886ca8a21f5f638ccb0ea008b0fb240fdeadfafe8a00f239ee9b74be7e73955bb0ed727b6606a9a5661b45132f8e146ffc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\04c30c7d-3f22-4955-8a33-685ac785b3c2.vbs

Filesize
720B

MD5
4c9582118ba0c4435efb2361c7b52869

SHA1
c91ccc4e568e6c7c4069dd987e538a4bd6317a92

SHA256
09e9173456d6023cb23b06f48f2ec46468c2d1e40b64e1ff7291f37f3225a21c

SHA512
661b7c2a700ef959be22e119cde206cd668b9d8e3de9f053ee45ef56e1f7c693f5d9bd861f7a796eb097653cebf5a9cf09f5840a83df299fd61d229ef50728db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e52bc77-035a-4e4b-83f5-f6eb346c4e51.vbs

Filesize
720B

MD5
684022a298983cdeb3d59841dff58627

SHA1
b6324388e171d319d440c5d136a290304d1f7c14

SHA256
e43d40cda8cd9831c2801c8b72bcd1d6a39587f4bf829d97ea53e573ccc234d5

SHA512
1fb9efe1aafb0c69055971ef4ccd0f1304e670d42a0cd906445581274aaf33bc1110fb8ce2f81bdd247fe6553fe1f9b895426b372c93fbe765c3fcc7912063e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bdf511c-0e61-4e68-9d07-cb4ef435affd.vbs

Filesize
720B

MD5
5e14152eeda81d3ad6efbf6429672750

SHA1
fb0ec183c3487b1d4b19a2f5e7d1939bae0c93c6

SHA256
08792061681987745529dbef1fc4bf764b1354db17d5cade3c121a4f90a7388e

SHA512
06c68d0716d5ce05a6c746ea4fb6eefa6f957c913699893c23e4f8cd422dbebc2a86b0fec964649b12b89b7bd8766a44502e4592ece275e1c441794344fb1b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\429dc427-730a-4f3a-9368-32b9234b97bc.vbs

Filesize
720B

MD5
6b1ebb3b86d561cf9c4cfdc09385e671

SHA1
6f379ed45d0f5a27b680e09b58dc9574cd646cd4

SHA256
46708001c637f511f8d6a103d102a600e9cd00c2fcd931c5796cab37a8a5e98f

SHA512
68f30df9f1e6957dee8811eda427eb3587526edef1cdd0eb98fef0cf1ec48a0108b81bf1ac67776e237f2944f0675d5e6cbf972ee21fbae180d3d6f25c5e49cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7649afc5-521b-46ee-84a3-3d2583a76f12.vbs

Filesize
496B

MD5
3ae0cb707e932097e4368e98f2abc7b7

SHA1
0da9ab479aaeab36e39b1d96545b7e995774ba5c

SHA256
c0707985c8ce60e02463a9ce2b3a2ddd847c1a0d4282ebed6d781f37e30b1e0d

SHA512
b162d018591deab6ee8cff7f93183f2dddcc9e6ad888fd0d2d5985674444a3a97f04b8dbf11806b1678c0e93b81a81fede9acafd48a24124d702deb29eb96537

Download Submit
C:\Users\Admin\AppData\Local\Temp\79eb15ef-b4af-44d7-b1db-67f6e04d89bf.vbs

Filesize
720B

MD5
94247b7db8067a6e1260207d21e76e34

SHA1
06400b08c63cb74c7d45f382445dc3b881e78f1f

SHA256
d978f49f21c6a6f9349df0ec1ed8c313e1b1e36ad12b8f77ebcd996eeb436734

SHA512
80f8935fc7eb5af4335346742973f85a1dd2e49790fea0a5218138fbca2e1fcd852556f373010ccbb5e4ad5341554dfb99f323c8380c63e0723812e3a86f6f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b9a911e-264e-4611-abdf-62380fca723f.vbs

Filesize
719B

MD5
ecd9f41fbe69651e0fd000c8a9e92c55

SHA1
043281416bdb6cbf2dfc8b9cabab29ebfa7c7260

SHA256
fe3754932361cd0f87dba6c79ff4cab26b1be7846a51980169cba2e17b6a51c9

SHA512
99c4eb756ac7c5eb202073c3e4f698ad3b156df5fead172665f76eb18fbda4e81664b30abb24babef07e80a5d1a8dc00682dac5762c298c7216d501f606fce0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\891b7320-aa4b-45da-8ea3-bc56e66f6ce3.vbs

Filesize
720B

MD5
39118e8797dc5e39d4cea5b5817cc8aa

SHA1
52474a48dd4601230f2ccfca4d3ce4dcd96e606f

SHA256
76dacbcbdad32e62619ec61cec0426267b50158625f524d38c70fad0b2aaf232

SHA512
bf76e818f6ab1afe1327dbc2ff56efd5315188aa37e7569a96af1f1b74802b5e81e75a0cf59593e8267321c3555f5c229b3fd77ba0a6db3c53ec266f7616cf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c14a8a3-0f43-4dac-a83d-f73fd4104533.vbs

Filesize
720B

MD5
19c04f0f2e64d5654ee8643334215c58

SHA1
584785e1dc2f3c9257fa2104a1181136af29f6f5

SHA256
c9aa8dc59a69b949df220d2199a046c763399710adc6df0817a868a514dd2d5d

SHA512
43f2ecaf56c2afb718559b5a2df7ee03eebc972641ced566f00ea398699a738628337876387546d29cefba1f39ce2551abba69b6c4c2a69b2f688283b43f06e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\baa145b2-81c0-4d89-9101-d205a8bddd08.vbs

Filesize
719B

MD5
063849a4b43ae18a23eb4e290b015ec4

SHA1
b2188c30507801fee8d73ac0c52e715ed6a5dd45

SHA256
37cfb9a80e03fcaec25c0d15d3f42ae335d9a0cb1941ece4b8526258741b6e6c

SHA512
97a3f4f12cd4da7ccae71bacdcc6134c7baf1b1a75a3848c4f47ebc68c20c31e4ad5b72ad4e521612f73aafae94fc9fb68418b45d336644c5ea93e11a2f1de5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed704654-667b-4d02-bacb-ca407b422495.vbs

Filesize
720B

MD5
7655e6d53621eb5c88870b77f8def3da

SHA1
da4cfeffe32ec4c964a9dc58a21dbb6b33ec15c6

SHA256
b8477999cb7abc477745f49e54f4410417a41b69a05980cd052014c8c753f839

SHA512
4125428d6ecb203dd07380721e4bd8a2d4c3a711aacb828ea13cc19445a435c692202f6ed7d89ee5324b965fea552395cbc8d1ab9be6ec5b12fbd9fe5f782ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef85ab7d-74f7-4563-951e-91e5eb668458.vbs

Filesize
720B

MD5
46f41b45f738c755058f59791a0c8c35

SHA1
86a9eada5dc09779e0f48d33d8b4107dc21f461c

SHA256
3e242594814443c07da7832d9e25b56d41aa52eb3de46116ea0393a232a1ebca

SHA512
1d1f10a7e4b7d46f5fd8feeb16f90ef20d5b874e687676a003934dbbfc7ed39b04d808d08348e423984ffca7934e7c598d64e66b3ff8b1c016b37f2cb99dabf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcc106e9-04d1-4b3f-8816-0e5f561a2d68.vbs

Filesize
720B

MD5
129221aed28ec877682d21435f4fad56

SHA1
69805f80c3598550318ed807eccbec442774267e

SHA256
5e29e1ac33de540a2c258a2cca750c8828defd2ea9b6922325795fac130facd1

SHA512
2b7759c5c4febfee429058204112e8652e6e5076f8d9e8e004054d37d8fb1ec42e34e71098172caeeb5e653d235e73d934129a2437c6b390fb6756f378849ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcedd0ee-70fb-40a9-b225-12936bffa2f1.vbs

Filesize
720B

MD5
28c90a00f191bc38a8d213882e4e5aa9

SHA1
fdf9b2617b21fd074d0ab17b0a655ca76e043a19

SHA256
fae141eedfab2717193622c9ab316f116bc954cd184617f15bf0a0ec5b963c23

SHA512
a5eb54ef4fcb9426e0aaebc616929e5340d9ff769b8e689abccb621f934e2eb412ded06852d7e8fda772428da5beb338de4d2513a5cde6139b7b245b42f0ead1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e5bf7cec385f4a41f6a93409df259a1

SHA1
f85f497a88300d705850320b37cd2e40f409e451

SHA256
3622057a37d063f8cce61e52a2166e4729247c95bf67ef91565b1b4763d6206f

SHA512
c12167b1207c09de779af333c4a5c54c876bae07f9df5effd52bbc20433ae02584c1ec2dc9514403a09ad87cdc17c17570d56f1f217c84025a49b1dbec45927f

Download Submit
C:\Windows\System32\accessibilitycpl\csrss.exe

Filesize
1.5MB

MD5
8261fc22f84b5aeed1dd90a21e189642

SHA1
14d5d5ab37929a700f93adfcb460da55b7409b34

SHA256
9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c

SHA512
f3c530c918c332a1cd21f9c9fb9593772616c9e90436ea6219296612c047a526c73326944f592f23c81cd2e8b4fa5168f52bf8c1f5133d0db03b5d9923179cec

Download Submit
C:\Windows\fveupdate\explorer.exe

Filesize
1.5MB

MD5
5ef8ceeb27537f13c15ea94129a4be52

SHA1
e09550886d77af195cb969e3656d23def648fa73

SHA256
9e9de26fbd0c0b574668e83df80a9aa5f9c214eaffb48e175dfae5f72af48f4f

SHA512
8bc780b00ba5c92fe19dc548eb2da433bee3dee89e928951f19965d80679a53e39daf164165e6faad3163325010ce394d6875c90e893edd440890bd5bc985660

Download Submit
memory/552-213-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1040-352-0x00000000000E0000-0x000000000025E000-memory.dmp

Filesize
1.5MB

Download
memory/1080-282-0x00000000000D0000-0x000000000024E000-memory.dmp

Filesize
1.5MB

Download
memory/1476-164-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1476-157-0x0000000000A50000-0x0000000000BCE000-memory.dmp

Filesize
1.5MB

Download
memory/1716-329-0x0000000001050000-0x00000000011CE000-memory.dmp

Filesize
1.5MB

Download
memory/1788-319-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1856-201-0x00000000012B0000-0x000000000142E000-memory.dmp

Filesize
1.5MB

Download
memory/1952-111-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1952-112-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/2016-258-0x0000000000330000-0x00000000004AE000-memory.dmp

Filesize
1.5MB

Download
memory/2116-188-0x00000000010D0000-0x000000000124E000-memory.dmp

Filesize
1.5MB

Download
memory/2116-189-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2176-307-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2256-11-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2256-20-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/2256-12-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2256-16-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/2256-13-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2256-15-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2256-14-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2256-10-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2256-163-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-9-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2256-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2256-7-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2256-6-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2256-24-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2256-17-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2256-5-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2256-21-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/2256-4-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2256-1-0x00000000001E0000-0x000000000035E000-memory.dmp

Filesize
1.5MB

Download
memory/2256-18-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2256-3-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2256-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-176-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2532-175-0x0000000000170000-0x00000000002EE000-memory.dmp

Filesize
1.5MB

Download
memory/2796-344-0x0000000001090000-0x000000000120E000-memory.dmp

Filesize
1.5MB

Download
memory/2928-270-0x0000000001120000-0x000000000129E000-memory.dmp

Filesize
1.5MB

Download
memory/2940-295-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2940-294-0x0000000000E90000-0x000000000100E000-memory.dmp

Filesize
1.5MB

Download