dcrat | 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Size

4.9MB
MD5

028bdc90907407e6347ed647ec3a4520
SHA1

a4666b332fa2086a2367fca57e8f8516f661703f
SHA256

76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
SHA512

a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2068	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2188-2-0x0000000001220000-0x000000000134E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2028	powershell.exe
1196	powershell.exe
3024	powershell.exe
2664	powershell.exe
1200	powershell.exe
2284	powershell.exe
2192	powershell.exe
1832	powershell.exe
2496	powershell.exe
524	powershell.exe
2980	powershell.exe
2736	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2616	winlogon.exe
1484	winlogon.exe
572	winlogon.exe
896	winlogon.exe
2428	winlogon.exe
2268	winlogon.exe
2916	winlogon.exe
1596	winlogon.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\winlogon.exe	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
File created	C:\Program Files\Windows Sidebar\es-ES\winlogon.exe	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
File created	C:\Program Files\Windows Sidebar\es-ES\cc11b995f2a76d	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXEA14.tmp	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1692	schtasks.exe
2828	schtasks.exe
2892	schtasks.exe
2784	schtasks.exe
2232	schtasks.exe
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
524	powershell.exe
2192	powershell.exe
1196	powershell.exe
1200	powershell.exe
3024	powershell.exe
2028	powershell.exe
2496	powershell.exe
2980	powershell.exe
1832	powershell.exe
2736	powershell.exe
2664	powershell.exe
2284	powershell.exe
2616	winlogon.exe
1484	winlogon.exe
572	winlogon.exe
896	winlogon.exe
2428	winlogon.exe
2268	winlogon.exe
2916	winlogon.exe
1596	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2616	winlogon.exe
Token: SeDebugPrivilege	1484	winlogon.exe
Token: SeDebugPrivilege	572	winlogon.exe
Token: SeDebugPrivilege	896	winlogon.exe
Token: SeDebugPrivilege	2428	winlogon.exe
Token: SeDebugPrivilege	2268	winlogon.exe
Token: SeDebugPrivilege	2916	winlogon.exe
Token: SeDebugPrivilege	1596	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2192	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	38
PID 2188 wrote to memory of 2192	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	38
PID 2188 wrote to memory of 2192	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	38
PID 2188 wrote to memory of 524	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	39
PID 2188 wrote to memory of 524	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	39
PID 2188 wrote to memory of 524	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	39
PID 2188 wrote to memory of 2496	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	40
PID 2188 wrote to memory of 2496	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	40
PID 2188 wrote to memory of 2496	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	40
PID 2188 wrote to memory of 1832	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	41
PID 2188 wrote to memory of 1832	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	41
PID 2188 wrote to memory of 1832	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	41
PID 2188 wrote to memory of 2284	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	42
PID 2188 wrote to memory of 2284	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	42
PID 2188 wrote to memory of 2284	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	42
PID 2188 wrote to memory of 1200	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	45
PID 2188 wrote to memory of 1200	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	45
PID 2188 wrote to memory of 1200	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	45
PID 2188 wrote to memory of 2736	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	46
PID 2188 wrote to memory of 2736	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	46
PID 2188 wrote to memory of 2736	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	46
PID 2188 wrote to memory of 2664	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	47
PID 2188 wrote to memory of 2664	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	47
PID 2188 wrote to memory of 2664	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	47
PID 2188 wrote to memory of 3024	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	49
PID 2188 wrote to memory of 3024	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	49
PID 2188 wrote to memory of 3024	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	49
PID 2188 wrote to memory of 2980	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	50
PID 2188 wrote to memory of 2980	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	50
PID 2188 wrote to memory of 2980	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	50
PID 2188 wrote to memory of 1196	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	51
PID 2188 wrote to memory of 1196	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	51
PID 2188 wrote to memory of 1196	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	51
PID 2188 wrote to memory of 2028	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	52
PID 2188 wrote to memory of 2028	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	52
PID 2188 wrote to memory of 2028	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	52
PID 2188 wrote to memory of 1096	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	54
PID 2188 wrote to memory of 1096	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	54
PID 2188 wrote to memory of 1096	2188	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe	54
PID 1096 wrote to memory of 1312	1096	cmd.exe	64
PID 1096 wrote to memory of 1312	1096	cmd.exe	64
PID 1096 wrote to memory of 1312	1096	cmd.exe	64
PID 1096 wrote to memory of 2616	1096	cmd.exe	65
PID 1096 wrote to memory of 2616	1096	cmd.exe	65
PID 1096 wrote to memory of 2616	1096	cmd.exe	65
PID 2616 wrote to memory of 2868	2616	winlogon.exe	66
PID 2616 wrote to memory of 2868	2616	winlogon.exe	66
PID 2616 wrote to memory of 2868	2616	winlogon.exe	66
PID 2616 wrote to memory of 2912	2616	winlogon.exe	67
PID 2616 wrote to memory of 2912	2616	winlogon.exe	67
PID 2616 wrote to memory of 2912	2616	winlogon.exe	67
PID 2868 wrote to memory of 1484	2868	WScript.exe	68
PID 2868 wrote to memory of 1484	2868	WScript.exe	68
PID 2868 wrote to memory of 1484	2868	WScript.exe	68
PID 1484 wrote to memory of 1868	1484	winlogon.exe	69
PID 1484 wrote to memory of 1868	1484	winlogon.exe	69
PID 1484 wrote to memory of 1868	1484	winlogon.exe	69
PID 1484 wrote to memory of 880	1484	winlogon.exe	70
PID 1484 wrote to memory of 880	1484	winlogon.exe	70
PID 1484 wrote to memory of 880	1484	winlogon.exe	70
PID 1868 wrote to memory of 572	1868	WScript.exe	71
PID 1868 wrote to memory of 572	1868	WScript.exe	71
PID 1868 wrote to memory of 572	1868	WScript.exe	71
PID 572 wrote to memory of 1616	572	winlogon.exe	72

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe
"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzBJK7Zui3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1312
- - C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
    "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2616
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf23544-76fe-404a-a45d-6e74f9e318f0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1484
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a64264-36ab-4ae2-b75b-dbede61776e4.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06d49204-390d-47f4-90e3-8f33ef0f4965.vbs"
        8⤵
        
        PID:1616
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd295424-8cb3-4dca-a4b4-10f8e1567953.vbs"
        10⤵
        
        PID:108
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e68c0ede-d22d-4a96-bbc7-b407036da2dd.vbs"
        12⤵
        
        PID:2828
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3fac9ca-7b55-43cf-8615-de9d22cbcde7.vbs"
        14⤵
        
        PID:2384
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e202db8b-aa5c-40c4-8f61-1b64a6daea9a.vbs"
        16⤵
        
        PID:2516
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1de1af-6fb8-40fe-aaa0-38c303133f88.vbs"
        18⤵
        
        PID:2460
        
        C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"
        19⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81e311d7-f519-4d53-9431-1e7bbaa482e9.vbs"
        18⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1868b6-7699-4ae6-9e51-d17152c27d23.vbs"
        16⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1810a6-2389-48a1-8419-7850e9da358b.vbs"
        14⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f24a0374-4f6c-41ec-9fff-44f3b829a08e.vbs"
        12⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e5e7ffc-0216-448b-b0f7-117422c84c0f.vbs"
        10⤵
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f1f0607-cadc-4fa7-a327-ffde549bbc47.vbs"
        8⤵
        
        PID:1492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bc483a5-fe9c-409c-87f9-1c8a2c11d3b7.vbs"
        6⤵
        
        PID:880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ab548e-353c-46c2-b31f-68b0ea1f0652.vbs"
      4⤵
      PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

Filesize
1.9MB

MD5
a5253cbb3e73b6a0b2c14a4973f84e2c

SHA1
63fdd07e867a4351bfa80bc9206fed940e24a683

SHA256
8e211e8e1ccded47c7d711dca911b6ef467c1825025c47a3214b9cb17593dc9a

SHA512
a51502d63a24176a206c19a249cec25a041b4f9001ea3005770129b28bcb86665588bc3140db64081a11a100a06b69f519ec2938e907cfd0b5a4ce448e33c165

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe

Filesize
4.9MB

MD5
028bdc90907407e6347ed647ec3a4520

SHA1
a4666b332fa2086a2367fca57e8f8516f661703f

SHA256
76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b

SHA512
a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\06d49204-390d-47f4-90e3-8f33ef0f4965.vbs

Filesize
726B

MD5
8d17c908cab1c7b491719d02f7feb0fc

SHA1
4805f1d60d5e3534a4ec3a15e7da36c6852ee593

SHA256
620a2f426c39dac14d24f1b7133ace1599b94b7e929d9b2267e7bdf6a50f3bfd

SHA512
6a2961cab6cf3f04630a0598cc6ca5b8a071b4410279dfee2b396f36908f316a738d159fdb5d75f265612e989eb79713e5b176b49b2015dbdcf8e68c974de736

Download Submit
C:\Users\Admin\AppData\Local\Temp\83a64264-36ab-4ae2-b75b-dbede61776e4.vbs

Filesize
727B

MD5
184a77f7070b33fff4640a51a29e3e2c

SHA1
1553e5ab086fb803cf02494d6ca30fd407e0af21

SHA256
3e5f9c56c8de29f9088b7cecc5ec07028b496139680dfbe69f08a0a034e5078b

SHA512
99d4a2c3e5f930e83c6b9c8e028b7d056b31e46c5daf1d449ee1035e013a0d287f2d645e2a7990f22872cd84ef3fe64c1da4152d7e90457d5e48fa3e5eef0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99ab548e-353c-46c2-b31f-68b0ea1f0652.vbs

Filesize
503B

MD5
eedd8ba5e992c69452f2720edb2318d8

SHA1
2cda769b4a5eee515094695dd86c4400fb75bc2d

SHA256
5c780019dff25dc6012ed39842991e1bb90c8f0fd215af570794c1f96b8d891b

SHA512
8bdd28dc0b7c2c13db454b02943b8656e39c0fcdb1065e522d8b8d6abb202cd87c086b677295cf927929fe92bd5f109f90757fc224ec4a33c9972333796bd96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc1de1af-6fb8-40fe-aaa0-38c303133f88.vbs

Filesize
727B

MD5
65457ca16a3e3c538d2bf4bc797afb00

SHA1
9b30e7814b98055dce8d41ca837f1d8e0bd1386a

SHA256
c128f9e2829740cc4c8540d1f399f7b4a334db249e67cc3035fb2477703444d4

SHA512
e4e54c401190463b0db85f91a21ee81518b117e9303077e74874febc0baf40c956fb48b95a049c1b7a9735eab2138954a7c3f2cd028ef60d16ec5b048dc2b9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3fac9ca-7b55-43cf-8615-de9d22cbcde7.vbs

Filesize
727B

MD5
83068d19a6240a845075d049fb693cd9

SHA1
d17f6bb10ebabf609757e53e7bf8a442aee529cb

SHA256
1d7c83d28b044b8a79d0307cdd10ecaa0ef8b8a7693670501680c2ff7c3f450b

SHA512
6ef0bbec4b20982b778718d5c5193f6975a4ffbb4dbf2aa485a50c3e1878f66fb8d9b9084148164eedfd0f84ba1d07ded75e6f3b9afc9bb8cf8e597617573fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e202db8b-aa5c-40c4-8f61-1b64a6daea9a.vbs

Filesize
727B

MD5
d90de39caab0de94c64e628e15fc131d

SHA1
cf81472cde7ab6a5f1a50fa9a3277e2e0141a715

SHA256
917853c9e5e1fb6f47fb9a27cb4c4e5ddf31f271ac7ac40af17725837897671e

SHA512
562f0c43e53f21cdda602b3fc89bb567f663755e2c9c8270f57696da23baf94634d274d082414f035109f29ed9cd2b498277fa1ca85ed05b5247ede297c3a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\e68c0ede-d22d-4a96-bbc7-b407036da2dd.vbs

Filesize
727B

MD5
acb20f116f350c5ace5c3b2b20cc8845

SHA1
9f30f2378a01ef148da3698a7ddb989b020994fb

SHA256
240a4e1134ba37f163c7b8a5f744063b3b305699ef9a2a8ee318d4e2d2b5d6f8

SHA512
45f1bcd4b22bb151989bf94f697f240164efbe34b186ad52d95a7195b8994130762f513ef11b98dda1427799b54e5b373d4aad2d87fa656a8d932678d242e5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\edf23544-76fe-404a-a45d-6e74f9e318f0.vbs

Filesize
727B

MD5
7f7e8f386e7295f6c93b4aaebaf0605b

SHA1
0ba83e4633959bb637bdb43f166c2a4f4c511ca6

SHA256
8f27dd2d14f3fc9b9a1c75c8bd9bb4cdb77bbbba45a47470c97230f7ce1b7191

SHA512
4442ca350111515fab62e5f1cda4629e78213fb18737ab8656bb78bdb7fd459ad635ac51814f583afbe05cad0f2d3213b59cdd8df572dff4fdd3a1f090332313

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd295424-8cb3-4dca-a4b4-10f8e1567953.vbs

Filesize
726B

MD5
02557bbc2b2d26b05bd8620ae48db042

SHA1
615d12778c874450081af4a8022fae0108685571

SHA256
3c36a70e5b5fcf9dad084e551e5c2c74b46a4559d22ec059a603fbda44e4fe70

SHA512
77ef77ec47108225b02973a2005c2388e51d5d62ec485675728865a2bf4f5f7b90b885ac16202127e577a0a2c20ee84308368aabd8d4458c959a5d323374a6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzBJK7Zui3.bat

Filesize
216B

MD5
f434bc1e79870beef7cdd006e776174d

SHA1
f95981aab38e36e2786f7171e0ba460c6988d2af

SHA256
adcd32d4ed0150d665b50eeebc56eb735ae1a0722388b8da6f086c782de7eb78

SHA512
61cdae15791b5abe7d2c7070ef4c986bdfae9fb52b2b299453d0ed97cf831c84d34887a9cbce33337f7835f091abd666f0f85cc25c5990c55a51a3e474f2fe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp15D2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
58641b6d04a320fb797883b453e4b084

SHA1
01dad21ebd6bbff78aab76f7702f39af9fe9df3f

SHA256
566179c7ccb450dc938ba881e6c2442dd042f129fc2a99879feefdf9325115ae

SHA512
23c3e890b2f92dfabfd094b9eec2274cb8be39ec4dfbc7b9e6522c099ee83a55c7958acccb862663f5b2e867a5bfd1e5c4a3d3d37e9935ead5e785524653b292

Download Submit
memory/524-52-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/572-132-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/1484-117-0x0000000000260000-0x0000000000754000-memory.dmp

Filesize
5.0MB

Download
memory/2188-5-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2188-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2188-14-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2188-13-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/2188-12-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2188-4-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2188-9-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/2188-2-0x0000000001220000-0x000000000134E000-memory.dmp

Filesize
1.2MB

Download
memory/2188-11-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/2188-10-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/2188-1-0x0000000001350000-0x0000000001844000-memory.dmp

Filesize
5.0MB

Download
memory/2188-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-7-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2188-15-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/2188-8-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2188-6-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2188-49-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-16-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/2192-67-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2268-176-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2428-161-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2616-103-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/2616-102-0x0000000001090000-0x0000000001584000-memory.dmp

Filesize
5.0MB

Download
memory/2916-191-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download