dcrat | 2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Size

4.9MB
MD5

c352be4e4eadf26973f9bff1e60635b0
SHA1

a4b01b3e58aafd467e23d2eaada670116d2f7971
SHA256

2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111e
SHA512

a8471c5325c5d205adaa90aa51ea9b9dd08f8622a9cf3424c490818b1a0504447f84296e5fd2615544f8e2cb90fdd5a9d50f319387049162dd88137940174c8f
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2980	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2980	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2472-3-0x000000001B650000-0x000000001B77E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
600	powershell.exe
952	powershell.exe
2024	powershell.exe
2120	powershell.exe
2188	powershell.exe
1000	powershell.exe
2388	powershell.exe
2400	powershell.exe
1232	powershell.exe
688	powershell.exe
2288	powershell.exe
564	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2496	winlogon.exe
1340	winlogon.exe
1820	winlogon.exe
2924	winlogon.exe
2472	winlogon.exe
872	winlogon.exe
1968	winlogon.exe
1432	winlogon.exe
832	winlogon.exe
840	winlogon.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\es-ES\RCX851B.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX93A3.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsm.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files\Windows Journal\es-ES\6ccacd8608530f	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsm.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\Idle.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\RCX8923.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files\Windows Journal\es-ES\Idle.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\d9670410ceec8a	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\101b941d020240	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Media\Cityscape\wininit.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Windows\Media\Cityscape\56085415360792	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Windows\Media\Cityscape\RCX919F.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Windows\Media\Cityscape\wininit.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2404	schtasks.exe
2568	schtasks.exe
980	schtasks.exe
2152	schtasks.exe
2564	schtasks.exe
2996	schtasks.exe
2524	schtasks.exe
2168	schtasks.exe
568	schtasks.exe
2608	schtasks.exe
2856	schtasks.exe
2960	schtasks.exe
2676	schtasks.exe
2308	schtasks.exe
604	schtasks.exe
1904	schtasks.exe
2144	schtasks.exe
380	schtasks.exe
3000	schtasks.exe
2944	schtasks.exe
1376	schtasks.exe
2900	schtasks.exe
2076	schtasks.exe
1944	schtasks.exe
2928	schtasks.exe
2644	schtasks.exe
2316	schtasks.exe
3052	schtasks.exe
1272	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
952	powershell.exe
2288	powershell.exe
2024	powershell.exe
1000	powershell.exe
2188	powershell.exe
2400	powershell.exe
564	powershell.exe
1232	powershell.exe
688	powershell.exe
600	powershell.exe
2388	powershell.exe
2120	powershell.exe
1340	winlogon.exe
1820	winlogon.exe
2924	winlogon.exe
2472	winlogon.exe
872	winlogon.exe
1968	winlogon.exe
1432	winlogon.exe
832	winlogon.exe
840	winlogon.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1340	winlogon.exe
Token: SeDebugPrivilege	1820	winlogon.exe
Token: SeDebugPrivilege	2924	winlogon.exe
Token: SeDebugPrivilege	2472	winlogon.exe
Token: SeDebugPrivilege	872	winlogon.exe
Token: SeDebugPrivilege	1968	winlogon.exe
Token: SeDebugPrivilege	1432	winlogon.exe
Token: SeDebugPrivilege	832	winlogon.exe
Token: SeDebugPrivilege	840	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 688	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	61
PID 2472 wrote to memory of 688	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	61
PID 2472 wrote to memory of 688	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	61
PID 2472 wrote to memory of 2288	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	62
PID 2472 wrote to memory of 2288	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	62
PID 2472 wrote to memory of 2288	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	62
PID 2472 wrote to memory of 600	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	63
PID 2472 wrote to memory of 600	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	63
PID 2472 wrote to memory of 600	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	63
PID 2472 wrote to memory of 952	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	64
PID 2472 wrote to memory of 952	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	64
PID 2472 wrote to memory of 952	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	64
PID 2472 wrote to memory of 2024	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	66
PID 2472 wrote to memory of 2024	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	66
PID 2472 wrote to memory of 2024	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	66
PID 2472 wrote to memory of 2120	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	67
PID 2472 wrote to memory of 2120	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	67
PID 2472 wrote to memory of 2120	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	67
PID 2472 wrote to memory of 2188	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	68
PID 2472 wrote to memory of 2188	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	68
PID 2472 wrote to memory of 2188	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	68
PID 2472 wrote to memory of 1232	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	69
PID 2472 wrote to memory of 1232	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	69
PID 2472 wrote to memory of 1232	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	69
PID 2472 wrote to memory of 2400	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	71
PID 2472 wrote to memory of 2400	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	71
PID 2472 wrote to memory of 2400	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	71
PID 2472 wrote to memory of 2388	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	72
PID 2472 wrote to memory of 2388	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	72
PID 2472 wrote to memory of 2388	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	72
PID 2472 wrote to memory of 564	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	74
PID 2472 wrote to memory of 564	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	74
PID 2472 wrote to memory of 564	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	74
PID 2472 wrote to memory of 1000	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	75
PID 2472 wrote to memory of 1000	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	75
PID 2472 wrote to memory of 1000	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	75
PID 2472 wrote to memory of 2496	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	85
PID 2472 wrote to memory of 2496	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	85
PID 2472 wrote to memory of 2496	2472	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	85
PID 1208 wrote to memory of 1340	1208	WScript.exe	88
PID 1208 wrote to memory of 1340	1208	WScript.exe	88
PID 1208 wrote to memory of 1340	1208	WScript.exe	88
PID 1340 wrote to memory of 2832	1340	winlogon.exe	90
PID 1340 wrote to memory of 2832	1340	winlogon.exe	90
PID 1340 wrote to memory of 2832	1340	winlogon.exe	90
PID 1340 wrote to memory of 2672	1340	winlogon.exe	91
PID 1340 wrote to memory of 2672	1340	winlogon.exe	91
PID 1340 wrote to memory of 2672	1340	winlogon.exe	91
PID 2832 wrote to memory of 1820	2832	WScript.exe	92
PID 2832 wrote to memory of 1820	2832	WScript.exe	92
PID 2832 wrote to memory of 1820	2832	WScript.exe	92
PID 1820 wrote to memory of 2256	1820	winlogon.exe	93
PID 1820 wrote to memory of 2256	1820	winlogon.exe	93
PID 1820 wrote to memory of 2256	1820	winlogon.exe	93
PID 1820 wrote to memory of 1140	1820	winlogon.exe	94
PID 1820 wrote to memory of 1140	1820	winlogon.exe	94
PID 1820 wrote to memory of 1140	1820	winlogon.exe	94
PID 2256 wrote to memory of 2924	2256	WScript.exe	95
PID 2256 wrote to memory of 2924	2256	WScript.exe	95
PID 2256 wrote to memory of 2924	2256	WScript.exe	95
PID 2924 wrote to memory of 2436	2924	winlogon.exe	96
PID 2924 wrote to memory of 2436	2924	winlogon.exe	96
PID 2924 wrote to memory of 2436	2924	winlogon.exe	96
PID 2924 wrote to memory of 352	2924	winlogon.exe	97

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
"C:\Users\Admin\AppData\Local\Temp\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System policy modification
  PID:2496
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\590208f7-2527-49ce-94f9-1c4cee173b9d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
      "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1340
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aed81c4-c9d2-4dbe-a1e4-fadd9db64d07.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24d8401e-292a-422d-8316-9b70f45f7350.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8340360d-2b55-4464-8ae9-e061042aaac4.vbs"
        9⤵
        
        PID:2436
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51bcea7c-c420-4955-bfd2-b147ba537c58.vbs"
        11⤵
        
        PID:1252
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1989a679-a2b1-490c-844e-37270e7d0619.vbs"
        13⤵
        
        PID:3020
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2dd7aeb-378c-4fff-8907-240c7b4b5667.vbs"
        15⤵
        
        PID:940
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\825c19d8-7692-48e8-a0de-5d40abd25563.vbs"
        17⤵
        
        PID:1996
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e92b5994-3c8a-420b-a044-668ee7219111.vbs"
        19⤵
        
        PID:1596
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328b5a9a-d65b-4dd1-9f9a-4fda889521bb.vbs"
        21⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4501746-6a2a-4cd9-a4e7-d85a2a343a6b.vbs"
        21⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59c761fc-e353-4e2c-90bf-105e81fdcc64.vbs"
        19⤵
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\172015f7-e593-480c-833a-af40636ef1c4.vbs"
        17⤵
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf09645-b74a-4bb2-aa67-585aa0d19ce8.vbs"
        15⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a27f6d88-28bc-408e-80db-3fb38cbe90d2.vbs"
        13⤵
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c811d5-0549-41b5-ae49-cfeca84b989a.vbs"
        11⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6271222c-1a65-40fd-bac4-735265b3d7bf.vbs"
        9⤵
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef1ea2a-6162-4dc8-b8cb-8d92e5119a2f.vbs"
        7⤵
        
        PID:1140
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c936d99b-3614-4732-b738-429c03f14e9a.vbs"
        5⤵
        
        PID:2672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04fda631-523b-42f7-9b2b-2bf26077cf10.vbs"
    3⤵
    PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN2" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN2" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Cityscape\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Cityscape\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\it-IT\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe

Filesize
4.9MB

MD5
c352be4e4eadf26973f9bff1e60635b0

SHA1
a4b01b3e58aafd467e23d2eaada670116d2f7971

SHA256
2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111e

SHA512
a8471c5325c5d205adaa90aa51ea9b9dd08f8622a9cf3424c490818b1a0504447f84296e5fd2615544f8e2cb90fdd5a9d50f319387049162dd88137940174c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1989a679-a2b1-490c-844e-37270e7d0619.vbs

Filesize
750B

MD5
210620a266263a32c963d5cd076b432d

SHA1
dc1133ae07ef5f7d2759a5052990ee9c80a37aae

SHA256
4b9ffb7cf92d6bb7c115318908f4521152735e4e37b194a5b35d3847d07a2df4

SHA512
02f2dee33d68bbc7e54608edcbf941e6f07472bfe401a5156a0c1357cf93b5a299eddd55848527defa08b1889bebfc716285d3222f260d9b962c3bca105884e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aed81c4-c9d2-4dbe-a1e4-fadd9db64d07.vbs

Filesize
751B

MD5
d85bf6e1ab7a8913507e8d7c0d83dd44

SHA1
5c7504166e9a39a04501950d785dc389a17bfa16

SHA256
32b4b43f6b56f522bc92f137e71352e5b39ca6efd79a98f949d4eadbb62d76cd

SHA512
3dbc906d8da16b760258c823fbbe19d99c32ca9a56602a785f5585cf71e21030e0f7217c070be76b6308c943a56d6e0f39f0f8c8497d497421307faf766ba8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24d8401e-292a-422d-8316-9b70f45f7350.vbs

Filesize
751B

MD5
01082f0ed48465238c56364e7d5d5b0f

SHA1
de2040cc33850bbd95d93543f9fb51e0f3318ad9

SHA256
14ba8f3bf67e6dabfe36e12efe3db9c9904f6aa2a161e86405b6b36d81f8ce0a

SHA512
c1dd6560533c4af7d2f03b3c08086c720987ab98c0db8d1cef48a37e544de76aaa7e5bf2016471c77e784cb0b3ceaec979b2709700b873983822b37c7c06efa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\328b5a9a-d65b-4dd1-9f9a-4fda889521bb.vbs

Filesize
750B

MD5
00dc50c93a19ff494b1883c4c530dc83

SHA1
f11964bf3b7577288faf07f0feaf17652a665278

SHA256
356fd19db47360d00e3fe66f8ed0f1b141cb9ca921c7c46353d69f98ad1bc5d7

SHA512
4080405c54762e435bb91df02a2ee7db5474d530fe976586d0e841066b34729ee542c6ecac87462dcc28e6489b50f9c8100f4aa5e865ece37c1e38610dd6ac8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\51bcea7c-c420-4955-bfd2-b147ba537c58.vbs

Filesize
751B

MD5
aa732c10f4a1a6476cdf447af7ab6fe4

SHA1
ff312275e6e4eaeec5fa23eb58ca3c6d6ec3b8e8

SHA256
9887b24d5676775717f809251571bf42237045b844fcfa4a533618a25820530b

SHA512
01fad500438b9446e03a978e48d6ff0b2d48662d962dafe28e9c6282615243a53a38298542568c51e4ce9728c6c67d787c5cfba2996eb9ea303356971821d0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\825c19d8-7692-48e8-a0de-5d40abd25563.vbs

Filesize
751B

MD5
7d0936c48e1d15bfea6c8ff147c9de5c

SHA1
a587afdd7aed24257763b28289e3f64fe133ce23

SHA256
14c086610a44cc76003d4ad9e6e79f875a15d22b97d60101862aaa900ff1b46a

SHA512
90718368b953518847aa15b7eb59c9cbe858e98a6f12db28921738435c1b4c90cd1189853bfffd998e8f126ed5ecc1774619019181ba500ef1299dadd188e5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8340360d-2b55-4464-8ae9-e061042aaac4.vbs

Filesize
751B

MD5
4f3ba7cc8d333cf7828708bf4f098165

SHA1
0ed78c31a6aa88847f2df70f94a25f8c8aca1c4d

SHA256
b415cda81210c77999e456cb2ac2eb680bacfe2739b96cce47d44a53d1f222d2

SHA512
b34d5c55685503a3c7ef86b4ba2a7ae3ae88aa20aee6c4d95a8d799dd43936d1d0a37c5664675b20d6986a73392881a796a222bc4f7cd9602a85415920c57efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2dd7aeb-378c-4fff-8907-240c7b4b5667.vbs

Filesize
751B

MD5
92ce935df7f0e3321c79920fc410411e

SHA1
4d8acc1faa72bec5cb1c91e92af6ece98251c798

SHA256
9857ccc6b1d4631acd554473e1452dcd87a6917ed605df2d28f0cbf1720e3628

SHA512
10636a3ab78f531b59a23b1bdebd5d615d5a85f35f0bd0e85838b5317b7a4838caa1f3fe1e7af44096d7cc813f55be9b5c05459d6564623c32a5b5dcfbece1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\c936d99b-3614-4732-b738-429c03f14e9a.vbs

Filesize
527B

MD5
722cd290a21bb65a28964fa9a3efc504

SHA1
733ebf49d3b051efac249423d27bac3e7bf477a8

SHA256
247f954266ec494a0ebc4e4e0f4dea560d1a3f6b4ec68d578e45c24c9fc89321

SHA512
1b9e9dc58b5dc8f58cc670159cd92b5e0eeaca6d94465947e999f293345f0c7f20f5f2c34df0d22cde3a80bca37589f3f9500f79a6b88c8fa7078de8585648a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e92b5994-3c8a-420b-a044-668ee7219111.vbs

Filesize
750B

MD5
814ebd7966fca04fb8aef4a9605cb317

SHA1
2057d067eb81f7cd6814e7743321cf6747717af8

SHA256
5049d02dd684ba4100d6afcee34c68de52e3e18ed3c8f0e2c9ee6887d009ee07

SHA512
042d55f8a20ff7c3821803d6fefa340552b9b88b16033cd3e9d9cc826dcfcc3d6913a2cb423b98872591d36c6fb67f539e696bc114f7dc3686da1a7ff4f38ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD6B0.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1eab5b5086ac0855f57f47e631014dc3

SHA1
e159df814504f1fe3675a51c01b8bec0b94232c8

SHA256
aa4ddb379fdcd7c4276b69200c757468bbdac20b8d4749874e659ef67543cd61

SHA512
4c91f7c2611b531a7853452f24e052a66464e36aab5220e0910adc61c1f03608ae3c2c993ea424f1c792c31ea1d8b0842f9e606871c13885bcfc40b17fbf4107

Download Submit
memory/832-279-0x0000000001170000-0x0000000001664000-memory.dmp

Filesize
5.0MB

Download
memory/872-235-0x00000000012C0000-0x00000000017B4000-memory.dmp

Filesize
5.0MB

Download
memory/952-128-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/952-129-0x00000000029D0000-0x00000000029D8000-memory.dmp

Filesize
32KB

Download
memory/1340-177-0x0000000000D60000-0x0000000001254000-memory.dmp

Filesize
5.0MB

Download
memory/1432-264-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download
memory/1820-191-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/2472-5-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2472-9-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2472-16-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/2472-13-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2472-12-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2472-11-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2472-0-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/2472-10-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/2472-1-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2472-15-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2472-221-0x0000000000F40000-0x0000000001434000-memory.dmp

Filesize
5.0MB

Download
memory/2472-8-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2472-7-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/2472-6-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/2472-14-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2472-114-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-4-0x00000000009C0000-0x00000000009DC000-memory.dmp

Filesize
112KB

Download
memory/2472-3-0x000000001B650000-0x000000001B77E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-206-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download