dcrat | cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Size

1.8MB
MD5

d460777963c85344556aa9d4adc322a0
SHA1

cb0f873b26e938ef7d5b5dbe71aa23bc311400d3
SHA256

cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9
SHA512

a247b0454747177cdc7453bd5208b78ed8e37332b68d672de46e9ea0f2dc0da9947d3fc40f6bfcc6c74fd7a8ef371a311217c9f5c3c0f13c291d69dd2f9590af
SSDEEP

49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2692	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2692	schtasks.exe	31

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2788-1-0x00000000000D0000-0x000000000029E000-memory.dmp	dcrat
behavioral1/files/0x000d00000001866e-24.dat	dcrat
behavioral1/files/0x000c000000019397-101.dat	dcrat
behavioral1/files/0x00080000000191ff-121.dat	dcrat
behavioral1/memory/1820-166-0x0000000000CE0000-0x0000000000EAE000-memory.dmp	dcrat
behavioral1/memory/2328-251-0x0000000000E80000-0x000000000104E000-memory.dmp	dcrat
behavioral1/memory/1412-265-0x0000000001250000-0x000000000141E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
2628	powershell.exe
2896	powershell.exe
2560	powershell.exe
1824	powershell.exe
2860	powershell.exe
2840	powershell.exe
1372	powershell.exe
2556	powershell.exe
892	powershell.exe
1352	powershell.exe
2768	powershell.exe
3016	powershell.exe
1328	powershell.exe
1700	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2328	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1412	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2516	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\csrss.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXF876.tmp	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\csrss.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX86.tmp	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files\Windows Mail\wininit.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files\Windows Mail\it-IT\6ccacd8608530f	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXF46F.tmp	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files\Windows Mail\wininit.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCX6FE.tmp	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXFA7A.tmp	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Idle.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\ad12c14214c8f1	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files\Windows Mail\56085415360792	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\886983d96e3d3e	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files\Windows Mail\it-IT\Idle.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\lsass.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Windows\CSC\Idle.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Windows\CSC\6ccacd8608530f	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Windows\CSC\RCXDE4.tmp	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Windows\CSC\Idle.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
352	schtasks.exe
1496	schtasks.exe
2556	schtasks.exe
2632	schtasks.exe
2760	schtasks.exe
2596	schtasks.exe
776	schtasks.exe
2948	schtasks.exe
1504	schtasks.exe
1564	schtasks.exe
2328	schtasks.exe
344	schtasks.exe
2256	schtasks.exe
2572	schtasks.exe
2600	schtasks.exe
1332	schtasks.exe
1176	schtasks.exe
1032	schtasks.exe
2244	schtasks.exe
1868	schtasks.exe
1216	schtasks.exe
1600	schtasks.exe
2232	schtasks.exe
832	schtasks.exe
2104	schtasks.exe
2352	schtasks.exe
1688	schtasks.exe
2032	schtasks.exe
340	schtasks.exe
2424	schtasks.exe
1860	schtasks.exe
900	schtasks.exe
1800	schtasks.exe
2868	schtasks.exe
1148	schtasks.exe
1572	schtasks.exe
1776	schtasks.exe
1536	schtasks.exe
2388	schtasks.exe
2396	schtasks.exe
1816	schtasks.exe
980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
3016	powershell.exe
2860	powershell.exe
2556	powershell.exe
2628	powershell.exe
2896	powershell.exe
1728	powershell.exe
1700	powershell.exe
1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1328	powershell.exe
1824	powershell.exe
892	powershell.exe
1352	powershell.exe
1372	powershell.exe
2840	powershell.exe
2560	powershell.exe
2768	powershell.exe
956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2328	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1412	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2516	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	2328	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	1412	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	2516	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2860	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	74
PID 2788 wrote to memory of 2860	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	74
PID 2788 wrote to memory of 2860	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	74
PID 2788 wrote to memory of 2628	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	75
PID 2788 wrote to memory of 2628	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	75
PID 2788 wrote to memory of 2628	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	75
PID 2788 wrote to memory of 2896	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	76
PID 2788 wrote to memory of 2896	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	76
PID 2788 wrote to memory of 2896	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	76
PID 2788 wrote to memory of 3016	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	77
PID 2788 wrote to memory of 3016	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	77
PID 2788 wrote to memory of 3016	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	77
PID 2788 wrote to memory of 2560	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	78
PID 2788 wrote to memory of 2560	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	78
PID 2788 wrote to memory of 2560	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	78
PID 2788 wrote to memory of 2556	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	79
PID 2788 wrote to memory of 2556	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	79
PID 2788 wrote to memory of 2556	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	79
PID 2788 wrote to memory of 1328	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	80
PID 2788 wrote to memory of 1328	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	80
PID 2788 wrote to memory of 1328	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	80
PID 2788 wrote to memory of 892	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	81
PID 2788 wrote to memory of 892	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	81
PID 2788 wrote to memory of 892	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	81
PID 2788 wrote to memory of 2840	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	82
PID 2788 wrote to memory of 2840	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	82
PID 2788 wrote to memory of 2840	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	82
PID 2788 wrote to memory of 1352	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	83
PID 2788 wrote to memory of 1352	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	83
PID 2788 wrote to memory of 1352	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	83
PID 2788 wrote to memory of 1824	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	84
PID 2788 wrote to memory of 1824	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	84
PID 2788 wrote to memory of 1824	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	84
PID 2788 wrote to memory of 1700	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	85
PID 2788 wrote to memory of 1700	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	85
PID 2788 wrote to memory of 1700	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	85
PID 2788 wrote to memory of 2768	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	86
PID 2788 wrote to memory of 2768	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	86
PID 2788 wrote to memory of 2768	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	86
PID 2788 wrote to memory of 1372	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	87
PID 2788 wrote to memory of 1372	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	87
PID 2788 wrote to memory of 1372	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	87
PID 2788 wrote to memory of 1728	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	88
PID 2788 wrote to memory of 1728	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	88
PID 2788 wrote to memory of 1728	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	88
PID 2788 wrote to memory of 1820	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	104
PID 2788 wrote to memory of 1820	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	104
PID 2788 wrote to memory of 1820	2788	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	104
PID 1820 wrote to memory of 404	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	105
PID 1820 wrote to memory of 404	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	105
PID 1820 wrote to memory of 404	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	105
PID 1820 wrote to memory of 2812	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	106
PID 1820 wrote to memory of 2812	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	106
PID 1820 wrote to memory of 2812	1820	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	106
PID 404 wrote to memory of 956	404	WScript.exe	107
PID 404 wrote to memory of 956	404	WScript.exe	107
PID 404 wrote to memory of 956	404	WScript.exe	107
PID 956 wrote to memory of 2916	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	108
PID 956 wrote to memory of 2916	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	108
PID 956 wrote to memory of 2916	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	108
PID 956 wrote to memory of 1572	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	109
PID 956 wrote to memory of 1572	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	109
PID 956 wrote to memory of 1572	956	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	109
PID 2916 wrote to memory of 2328	2916	WScript.exe	110

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
  "C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\018527ee-67a0-4a8b-95cf-97311b97c74f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
      "C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:956
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30527b78-b0a3-43dc-bc63-74cb918042d1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d146688-d242-4f28-bc0e-be30f4352735.vbs"
        7⤵
        
        PID:3016
        
        C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf7f421-3d9f-478d-aebd-158c088f3fd7.vbs"
        9⤵
        
        PID:2768
        
        C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d5006e3-5053-4f26-80b2-d278e99d8097.vbs"
        11⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\669bbe5d-45ad-4d1f-b460-4062d73f6f13.vbs"
        11⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c3e5302-efcf-4864-8b74-07b80f3c3464.vbs"
        9⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa144082-91b9-46ac-a3f8-16387dceb282.vbs"
        7⤵
        
        PID:1496
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc66417e-29a9-49ee-b6ef-f0ef637b77ce.vbs"
        5⤵
        
        PID:1572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17afe48c-c6c5-4160-8903-b68b5290aa82.vbs"
    3⤵
    PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9Nc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9Nc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\CSC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\csrss.exe

Filesize
1.8MB

MD5
d460777963c85344556aa9d4adc322a0

SHA1
cb0f873b26e938ef7d5b5dbe71aa23bc311400d3

SHA256
cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9

SHA512
a247b0454747177cdc7453bd5208b78ed8e37332b68d672de46e9ea0f2dc0da9947d3fc40f6bfcc6c74fd7a8ef371a311217c9f5c3c0f13c291d69dd2f9590af

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe

Filesize
1.8MB

MD5
95255ef6083c1f4c9ac91bd99c82d96f

SHA1
70a72353c3a3c6db5d6167ca7da19dfd0a14cdc7

SHA256
fa78834311026062016ced71b462e9dd964da7004fd7d73798315f2db443c60e

SHA512
02ddd1a906d8b3bda87d11a00ee901dd1438d544ab25e64a55f6da20d0b5180b000b95130319c39583d9962efd3e4d9397c1e072cde9293ca47c358756122061

Download Submit
C:\Program Files\Windows Mail\it-IT\Idle.exe

Filesize
1.8MB

MD5
e0adbc1932d25157185d6748ed059ca3

SHA1
81cf0dcf31b70b243bbc91bdb057ed79297feb4a

SHA256
939a5b2fae65e9c253878e48eb9ce1dd6e8ab67fbc412adacc86b26bab85149c

SHA512
ebd66384a2fdb3a3de0c1e7ac160b78b4bac2f17631fe7d2c2e9aa1414fd67ee58f85cfb6bc952a0a06109e764fefab4783ea2226ae49c13268d17f569e95904

Download Submit
C:\Users\Admin\AppData\Local\Temp\018527ee-67a0-4a8b-95cf-97311b97c74f.vbs

Filesize
791B

MD5
24fa437dd5d1ef58d041754e75e800df

SHA1
d3025c5e9a348ba4e2f0da0c2216aac79fd92d10

SHA256
91ef4bdd7a6f15000edc552bb25d598fee4f0e719fba650d46dd49d92b8c63bd

SHA512
50f19e0b615ca33d7aaf7c3efa81c3a3c3f9bd44ebdf707c286160985ebd251609ea85552a2314efa92abf6ed3a5349295fff2299f7a2b2d463173f381271810

Download Submit
C:\Users\Admin\AppData\Local\Temp\17afe48c-c6c5-4160-8903-b68b5290aa82.vbs

Filesize
567B

MD5
0766dea3279ec60e9304a8add730f663

SHA1
415852a172656bbff210f7708084f45936e547ea

SHA256
1081717685d166ed48701a5c657edd34d49a2d226b48656afe1cab03de3d687d

SHA512
02d9773dbee085120634cb4f8462f7b0aac2a78d495d78ddd43a16d5c870e8dfff83dbcb8e283e1c2eeaf220c722d46ac453a97eb10917532b314e2c1f1736b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d146688-d242-4f28-bc0e-be30f4352735.vbs

Filesize
791B

MD5
aff1f4612f1d9ac86b4c5a7274477e75

SHA1
b264252a6e39ba5403b63c62c866acfbfbdadf57

SHA256
a50a22b8ef8803a5e84e232084536692059223e7d52758a57c5f67d59432d6b1

SHA512
ba21e980636086599a19578d306023e97e0e6caae6e0efd80107b6cf9151238bc05fe6b51f8a2edf34ed4937163801a41bc933f1d040e5254dcb9bebc9e186ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d5006e3-5053-4f26-80b2-d278e99d8097.vbs

Filesize
791B

MD5
14903fc9ecb786193eea384c486e6345

SHA1
0befa37cb79b0fa66e5e36139566ae0454826993

SHA256
0515547483ecc7e89eebdbe5f6de6b2fb1271fea942f1635e44deb3bd39b70c4

SHA512
4c505e04c7158653f8345b30e75a9e83db9720cffc17f1ade784ccfbbf1839e81074aef7c5565986e275d6bea3eac3bf8ad249c59b70f8528963a1aeb0aba424

Download Submit
C:\Users\Admin\AppData\Local\Temp\30527b78-b0a3-43dc-bc63-74cb918042d1.vbs

Filesize
790B

MD5
651f4ef3089659a01c82d362a08d6190

SHA1
1b4a4592ad29a341100a50e2424bc5f8324fa54d

SHA256
59021df6b2abe08e281a6cde226e2d9da0107fe3eeaa7f8d2185023b8561dca8

SHA512
7da93fd19d307d541247e88a23efd4e1cf8c1b7b591b3801e5663047f4eeac5949a4d0ef288a854b65434fa34c852ba5478590886a66a60178bc4ef9ad822d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bf7f421-3d9f-478d-aebd-158c088f3fd7.vbs

Filesize
791B

MD5
41641990479348fe14ef74938ae9daa2

SHA1
4271d36bdba1783f3642fc2b5f15a2af25b32302

SHA256
2af119bc660fdaef55741790fe03f37bd93342679a9399b40ab05ce7c34fbe5b

SHA512
a03eee1120764cf132dadad4f68a88fb1e6124edef45c74583069c49ad2a74c5e00d89eb25c1fb8dd82aa87e1843772d8a4df32ab0221f3b75ed25be11248f11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4b9bd5feca0d530079ffc5769d4ad4fb

SHA1
c4473d728f043dbd390140925070c3e8c3d033d1

SHA256
12a374de670f67fd16b1d603ffd105373d2337e7fde7b971b9ba35759dea567e

SHA512
eb1dabba6882e60cd04def0aede4c96f1dc322cb545e03338df04a3c4c66ce0a4edca31701f5c5588a7c635edd5055fdb0438d38e92322d64ca9b0c363970221

Download Submit
memory/956-239-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1412-265-0x0000000001250000-0x000000000141E000-memory.dmp

Filesize
1.8MB

Download
memory/1412-266-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/1820-166-0x0000000000CE0000-0x0000000000EAE000-memory.dmp

Filesize
1.8MB

Download
memory/1820-228-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1820-227-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2328-253-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2328-252-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2328-251-0x0000000000E80000-0x000000000104E000-memory.dmp

Filesize
1.8MB

Download
memory/2788-12-0x0000000002110000-0x000000000211E000-memory.dmp

Filesize
56KB

Download
memory/2788-3-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/2788-4-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2788-5-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2788-141-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2788-167-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-1-0x00000000000D0000-0x000000000029E000-memory.dmp

Filesize
1.8MB

Download
memory/2788-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2788-7-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/2788-15-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/2788-14-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/2788-13-0x0000000002160000-0x000000000216E000-memory.dmp

Filesize
56KB

Download
memory/2788-6-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2788-11-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/2788-10-0x00000000008A0000-0x00000000008B2000-memory.dmp

Filesize
72KB

Download
memory/2788-9-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/2788-8-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/3016-164-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/3016-165-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download