dcrat | f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Size

4.9MB
MD5

06f186fc55f38b20a7273da22fe0007a
SHA1

3eae6dd2aec4dcd82864b9fbe446e85ea603784b
SHA256

f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
SHA512

05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2400	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2400	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2556-3-0x000000001B610000-0x000000001B73E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
1388	powershell.exe
3020	powershell.exe
2632	powershell.exe
912	powershell.exe
576	powershell.exe
760	powershell.exe
1748	powershell.exe
1732	powershell.exe
1368	powershell.exe
584	powershell.exe
656	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2580	wininit.exe
2072	wininit.exe
2952	wininit.exe
1784	wininit.exe
956	wininit.exe
2916	wininit.exe
2152	wininit.exe
2492	wininit.exe
1444	wininit.exe
896	wininit.exe
3016	wininit.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\en-US\audiodg.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\24dbde2999530e	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCXC48C.tmp	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\audiodg.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files\Uninstall Information\services.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Program Files\DVD Maker\en-US\42af1c969fbb7b	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Program Files\Uninstall Information\services.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXCAA7.tmp	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXCF1C.tmp	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\IME\ja-JP\dwm.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Windows\IME\ja-JP\6cb0b6c459d5d3	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCXC288.tmp	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Windows\Panther\UnattendGC\csrss.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Windows\IME\ja-JP\RCXC69F.tmp	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Windows\IME\ja-JP\dwm.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Windows\Panther\UnattendGC\csrss.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Windows\Panther\UnattendGC\886983d96e3d3e	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1784	schtasks.exe
348	schtasks.exe
2844	schtasks.exe
2872	schtasks.exe
2920	schtasks.exe
2712	schtasks.exe
980	schtasks.exe
1752	schtasks.exe
1396	schtasks.exe
2812	schtasks.exe
2356	schtasks.exe
1148	schtasks.exe
2748	schtasks.exe
2336	schtasks.exe
2660	schtasks.exe
2060	schtasks.exe
1820	schtasks.exe
2708	schtasks.exe
2656	schtasks.exe
1660	schtasks.exe
2548	schtasks.exe
1156	schtasks.exe
1644	schtasks.exe
1812	schtasks.exe
2752	schtasks.exe
2764	schtasks.exe
1976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1732	powershell.exe
912	powershell.exe
3020	powershell.exe
1704	powershell.exe
2632	powershell.exe
760	powershell.exe
584	powershell.exe
576	powershell.exe
1368	powershell.exe
656	powershell.exe
1388	powershell.exe
1748	powershell.exe
2580	wininit.exe
2072	wininit.exe
2952	wininit.exe
1784	wininit.exe
956	wininit.exe
2916	wininit.exe
2152	wininit.exe
2492	wininit.exe
1444	wininit.exe
896	wininit.exe
3016	wininit.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2580	wininit.exe
Token: SeDebugPrivilege	2072	wininit.exe
Token: SeDebugPrivilege	2952	wininit.exe
Token: SeDebugPrivilege	1784	wininit.exe
Token: SeDebugPrivilege	956	wininit.exe
Token: SeDebugPrivilege	2916	wininit.exe
Token: SeDebugPrivilege	2152	wininit.exe
Token: SeDebugPrivilege	2492	wininit.exe
Token: SeDebugPrivilege	1444	wininit.exe
Token: SeDebugPrivilege	896	wininit.exe
Token: SeDebugPrivilege	3016	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1748	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	59
PID 2556 wrote to memory of 1748	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	59
PID 2556 wrote to memory of 1748	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	59
PID 2556 wrote to memory of 1704	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	60
PID 2556 wrote to memory of 1704	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	60
PID 2556 wrote to memory of 1704	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	60
PID 2556 wrote to memory of 1732	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	62
PID 2556 wrote to memory of 1732	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	62
PID 2556 wrote to memory of 1732	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	62
PID 2556 wrote to memory of 912	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	63
PID 2556 wrote to memory of 912	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	63
PID 2556 wrote to memory of 912	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	63
PID 2556 wrote to memory of 1368	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	65
PID 2556 wrote to memory of 1368	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	65
PID 2556 wrote to memory of 1368	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	65
PID 2556 wrote to memory of 2632	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	67
PID 2556 wrote to memory of 2632	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	67
PID 2556 wrote to memory of 2632	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	67
PID 2556 wrote to memory of 3020	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	68
PID 2556 wrote to memory of 3020	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	68
PID 2556 wrote to memory of 3020	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	68
PID 2556 wrote to memory of 656	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	69
PID 2556 wrote to memory of 656	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	69
PID 2556 wrote to memory of 656	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	69
PID 2556 wrote to memory of 584	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	70
PID 2556 wrote to memory of 584	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	70
PID 2556 wrote to memory of 584	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	70
PID 2556 wrote to memory of 760	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	76
PID 2556 wrote to memory of 760	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	76
PID 2556 wrote to memory of 760	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	76
PID 2556 wrote to memory of 1388	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	78
PID 2556 wrote to memory of 1388	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	78
PID 2556 wrote to memory of 1388	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	78
PID 2556 wrote to memory of 576	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	79
PID 2556 wrote to memory of 576	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	79
PID 2556 wrote to memory of 576	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	79
PID 2556 wrote to memory of 2580	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	83
PID 2556 wrote to memory of 2580	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	83
PID 2556 wrote to memory of 2580	2556	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	83
PID 2580 wrote to memory of 2396	2580	wininit.exe	84
PID 2580 wrote to memory of 2396	2580	wininit.exe	84
PID 2580 wrote to memory of 2396	2580	wininit.exe	84
PID 2580 wrote to memory of 2964	2580	wininit.exe	85
PID 2580 wrote to memory of 2964	2580	wininit.exe	85
PID 2580 wrote to memory of 2964	2580	wininit.exe	85
PID 2396 wrote to memory of 2072	2396	WScript.exe	86
PID 2396 wrote to memory of 2072	2396	WScript.exe	86
PID 2396 wrote to memory of 2072	2396	WScript.exe	86
PID 2072 wrote to memory of 2876	2072	wininit.exe	87
PID 2072 wrote to memory of 2876	2072	wininit.exe	87
PID 2072 wrote to memory of 2876	2072	wininit.exe	87
PID 2072 wrote to memory of 2316	2072	wininit.exe	88
PID 2072 wrote to memory of 2316	2072	wininit.exe	88
PID 2072 wrote to memory of 2316	2072	wininit.exe	88
PID 2876 wrote to memory of 2952	2876	WScript.exe	89
PID 2876 wrote to memory of 2952	2876	WScript.exe	89
PID 2876 wrote to memory of 2952	2876	WScript.exe	89
PID 2952 wrote to memory of 1520	2952	wininit.exe	90
PID 2952 wrote to memory of 1520	2952	wininit.exe	90
PID 2952 wrote to memory of 1520	2952	wininit.exe	90
PID 2952 wrote to memory of 2260	2952	wininit.exe	91
PID 2952 wrote to memory of 2260	2952	wininit.exe	91
PID 2952 wrote to memory of 2260	2952	wininit.exe	91
PID 1520 wrote to memory of 1784	1520	WScript.exe	92

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
"C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
  "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\208a192f-a96b-4d04-976b-90aa2dd1b5d6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
      C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8eb33e7-db98-404a-95b5-df6df348ad9f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066e9875-25b5-4682-bd5d-7d5d05c03da8.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b6bb81-65cd-4943-98dd-ec674b1b0f22.vbs"
        9⤵
        
        PID:1816
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98cd58a9-9309-444d-b0eb-0250696e23f5.vbs"
        11⤵
        
        PID:2044
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf813ac-5175-471d-b0b5-7f498d300e29.vbs"
        13⤵
        
        PID:2584
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\231965c8-a309-4159-8594-322cc6cab1fe.vbs"
        15⤵
        
        PID:1584
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aa3d2af-2152-47b5-8f14-fbad1dc69275.vbs"
        17⤵
        
        PID:1784
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9ebf60-2e7a-4a1b-bf9d-6d1818e73757.vbs"
        19⤵
        
        PID:2264
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0b0ba0-d72c-46a8-a0c3-b52fd848fe62.vbs"
        21⤵
        
        PID:2812
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cfa9fb4-b9fa-47f6-ba37-16fe86e727d4.vbs"
        23⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e4c80db-eae1-45a5-981e-ffa3f9217640.vbs"
        23⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b480c08-3e67-4f98-a7da-4ac887a22e33.vbs"
        21⤵
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83804659-cbfa-4354-b51b-6b66b7a740af.vbs"
        19⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd62a2e6-219d-49d6-bc27-f7f967a522c4.vbs"
        17⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c5fe27-e2eb-439f-9ebc-aeb67ea11097.vbs"
        15⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36fe749c-22e5-49de-a0cd-8bde3984a14e.vbs"
        13⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ccb9b6-ba3e-45b6-8a71-97ddff17fcef.vbs"
        11⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6677ad5e-410f-482d-9f14-b1a977a93d78.vbs"
        9⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb6707e5-ea3b-4d64-a6fd-275d122589c6.vbs"
        7⤵
        
        PID:2260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1afa70ae-7718-4030-8543-d104703d6454.vbs"
        5⤵
        
        PID:2316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4abc938-a5f0-47d1-bb2a-f255a7a02034.vbs"
    3⤵
    PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\066e9875-25b5-4682-bd5d-7d5d05c03da8.vbs

Filesize
736B

MD5
c7b61b3ea28f6767be4a671e42cf18c5

SHA1
9e6f0d7f174af0940c87c68c6715de6c7ad845e2

SHA256
705d6c73ee20739de381ca8044963dae0edd3cd29ab32f957c90be5a1ad369c5

SHA512
e69b9f80e58b9dbfc3aaea3d591d1620171bed7806c92cbf758dbfe8de25167a2bc6b52cbd15e6d97bf727e695addfeaebfbf662458faf172129c375b4087754

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0b0ba0-d72c-46a8-a0c3-b52fd848fe62.vbs

Filesize
735B

MD5
d4ac0cd1778fb9babe4cbf11c2153e16

SHA1
f07159d516e491ef2721eef3186828caae20a3c4

SHA256
7a46c75c9ee59d041cf6c73234db6015582314b379ad18479f0d25949cf850ca

SHA512
3494e33425c789ab01b36bd9c8cbc365bdfde0a85e19453efeed4798ec4913a92060df300f5a790aa0c4c9ada8a1cdffcaeb4d1bccddbb061486d793db7181ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\208a192f-a96b-4d04-976b-90aa2dd1b5d6.vbs

Filesize
736B

MD5
056ced4aea7a3737e2d5492466720bd3

SHA1
89d7b0726ed8a54d56288a74849c83bd4cc4d385

SHA256
83d58e0ccc49268f6c577b50aa930bf69235dedba72fd8b88f82632a28c2bc7f

SHA512
fc2ea42c6123086bd026f944fb216248b8ff635d3ee151436661d41de5b07f9abc12d471c961557fd041feb92ed940977fd761309584808ebe83334c72a636ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\231965c8-a309-4159-8594-322cc6cab1fe.vbs

Filesize
736B

MD5
e57e586cd505907a1e425f4d7ce9f8da

SHA1
468f575e84126a06cf2ebe65e4783f75b8345a07

SHA256
8874da54c6a031cc01e665a362456c4dcf229a8a7b3567fb6c6c36f871e3f571

SHA512
2671b4ec5bce7339f2c416fde18672ec7687079a5be33145100aecd1b9fa2a4d7862aaa3f9066a5b3fa720c8fb9ab1d9e61cc1bc3b67a45adf62d32798272c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\40b6bb81-65cd-4943-98dd-ec674b1b0f22.vbs

Filesize
736B

MD5
8c077270672f7f0027da6ee06a4cadce

SHA1
88d792daa63e848386c21cdaba458691928bae46

SHA256
226b2d4cdad6e7fad361377afc52a5a0f4106bb2d6d7432b067277a26b3df11c

SHA512
b9cdd40563f150d997be27a7e9b4fcfd3f6b16b59d8c62f30eb0434e1a3657e98c169ab20536a9104f05f53c06d5f735dd4ea5af80e009df57e36b001773e7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d9ebf60-2e7a-4a1b-bf9d-6d1818e73757.vbs

Filesize
736B

MD5
3f15eaa38d201a0e9ee389e1acea8369

SHA1
a0de4e2fcc16f92949e3cf8002a10a9429e9a951

SHA256
7680b1eaa093319cab90b7dbe0e117b3a34d053fe7b307cf73120e4dbd6e6b2b

SHA512
16f2503a2b51c3e791249d5e77560f14670c9994f76f2003c84cee7f90192235801a61e39eaff10881f9e55bafc9dc91d6d443985b36e7a53f638ccf4313eb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\98cd58a9-9309-444d-b0eb-0250696e23f5.vbs

Filesize
735B

MD5
74eecdd8a57305e15057f5680c21d068

SHA1
5d9a5d76698bbc529a0c5726e4aff2909b85eef6

SHA256
302da9658eda6735a59e742256ddde4e0ea2b1780bc2dfe447e07439dca92af2

SHA512
3a6273e6b7d97a0fdb466dcfab0e598494b37a6ff97c8eb227bae852e507257513a9282c3d347ed200421f14145397fe9adb94959ff568b469268361e712f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aa3d2af-2152-47b5-8f14-fbad1dc69275.vbs

Filesize
736B

MD5
eaa0c21de6b46d52d5b9d0e29f5bbf9d

SHA1
ad71183b822780a84c412c40fb49390aa714c7da

SHA256
593cbb6fee0547bbd085656cbe8f72b5613db54588269822e3bec5add076ee1f

SHA512
7a0678a795def525fffc3a5257f7dced3b27c2b61854e7fd0ccd5b948455a272290dbe5f818d313ede6446b3a673fc5299e55cb2dd0a35199d2f771a1788ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bf813ac-5175-471d-b0b5-7f498d300e29.vbs

Filesize
736B

MD5
2fbe19bec565bedb095b0d49a6ea61f0

SHA1
0f31658769ef2fdb20401301af8b05ef3a737e1c

SHA256
ae0286665e0a22d9bc360b150f07cc839059d9f378632a6ad977c08befec5295

SHA512
6c6fd0be34b904272cdb7841fa66fda6eade67ff24a7557bf87fa3c781498e184101ccb0c0cc48461487b574c5cad9f15a7aa9e113bf4dd515323973b2557891

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cfa9fb4-b9fa-47f6-ba37-16fe86e727d4.vbs

Filesize
736B

MD5
1dfb93225eae542dae63c8ed29330e56

SHA1
3851e06514adb9c00dfa2a3f046424912d468e7f

SHA256
c2551cc0745021834be09fe63f4e5f1bb017863c9845913366f185de7c85e402

SHA512
c9f100b8fb12a9c4dcaf55e7f60da215cab8cd67fe3d14c343c31c319b2ec7bc23e5f872c0d5cd4555b58f81972793f62c74037a05aba6ba89c7e837444b3295

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8eb33e7-db98-404a-95b5-df6df348ad9f.vbs

Filesize
736B

MD5
bdb26404f9234e38cf1a11aa2b262f68

SHA1
9e017be48aee7b034b2d7de74af817a4703642df

SHA256
72eb0ab59e7847bd67303af33911191ee1b52c34dc8ee1147f5168e382d84847

SHA512
0875f4a83841bfe635648ca9a4b7a6a3693ef2976fddc4e37ddf8bb36ae2a81ee07ee6c24735943818f28e318b5ac9d5967eacea32b132f1f43406cdbb89834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4abc938-a5f0-47d1-bb2a-f255a7a02034.vbs

Filesize
512B

MD5
37bbae9c7424d45b98e4de67f7108486

SHA1
761d578eaa161e52bf502651d114b6698ce46931

SHA256
d575feae7fd35bf21befe90827b3d38680b99a4ac8f79e98d362f37d8ba06779

SHA512
99e25c39a5c086572fb10258fee4122149f6c75b75ad6e151119ae2b98f6cf348aa56339e583a9cbe71695d34ba666708817a6e1951dce25f1bb1ab25b41dbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dea4f48b152f0b68d8b067b2fcec1d88

SHA1
a45d40a2cf6c962cbf4b433821f123f11f4584ce

SHA256
2af211d1d442b54eee362fb9ece91581b002d2004d34ef7f898e0c524a19d1ba

SHA512
bed09495d974d66cac924e5346bc69ddbd1dcd353a950837371ee89af0fc5668a9b0525f286b3c8cd48ecce4a05198c0e7afe290f471a42a223f021ed889de3c

Download Submit
C:\Windows\IME\ja-JP\dwm.exe

Filesize
4.9MB

MD5
06f186fc55f38b20a7273da22fe0007a

SHA1
3eae6dd2aec4dcd82864b9fbe446e85ea603784b

SHA256
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7

SHA512
05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37

Download Submit
memory/896-305-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/896-304-0x0000000000040000-0x0000000000534000-memory.dmp

Filesize
5.0MB

Download
memory/912-131-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/956-229-0x0000000000180000-0x0000000000674000-memory.dmp

Filesize
5.0MB

Download
memory/1444-289-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1444-288-0x0000000000A80000-0x0000000000F74000-memory.dmp

Filesize
5.0MB

Download
memory/1732-141-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/1784-214-0x0000000000B10000-0x0000000001004000-memory.dmp

Filesize
5.0MB

Download
memory/2492-273-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/2556-10-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/2556-169-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-11-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/2556-3-0x000000001B610000-0x000000001B73E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2556-9-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/2556-1-0x00000000008B0000-0x0000000000DA4000-memory.dmp

Filesize
5.0MB

Download
memory/2556-8-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2556-12-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/2556-7-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2556-13-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/2556-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2556-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2556-16-0x0000000002570000-0x000000000257C000-memory.dmp

Filesize
48KB

Download
memory/2556-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2556-15-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2556-14-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2580-143-0x0000000000E90000-0x0000000001384000-memory.dmp

Filesize
5.0MB

Download
memory/2580-172-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/2916-244-0x00000000010D0000-0x00000000015C4000-memory.dmp

Filesize
5.0MB

Download
memory/2952-199-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2952-198-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/3016-320-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download