dcrat | 3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Size

4.9MB
MD5

4e514931905d8a3ba2ffced857ab81db
SHA1

7358c9e22b7544d30ba34f86fe7e37e58a263285
SHA256

3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e
SHA512

b650c79e5c5975d0b819e155ac8caae5a7e4fcdc86aea82357af855a4fcd458d019c920b208788d38b0d31cc967a6775eda23aeb7cef03b4fb5653fa211d4e30
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 13 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		484	schtasks.exe
		2800	schtasks.exe
		2744	schtasks.exe
		2812	schtasks.exe
		2856	schtasks.exe
		3064	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
		1632	schtasks.exe
		2832	schtasks.exe
		2844	schtasks.exe
		2616	schtasks.exe
		2740	schtasks.exe
		2724	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2260	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2260	schtasks.exe	31

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2552-3-0x000000001B630000-0x000000001B75E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
2688	powershell.exe
2384	powershell.exe
2344	powershell.exe
2884	powershell.exe
2840	powershell.exe
788	powershell.exe
2620	powershell.exe
2664	powershell.exe
1792	powershell.exe
2636	powershell.exe
2900	powershell.exe
2656	powershell.exe
2728	powershell.exe
1980	powershell.exe
2628	powershell.exe
2336	powershell.exe
2632	powershell.exe
2780	powershell.exe
2612	powershell.exe
2212	powershell.exe
2652	powershell.exe
2616	powershell.exe
2736	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
1920	System.exe
2904	System.exe
2256	System.exe
1788	System.exe
2700	System.exe
1416	System.exe
2276	System.exe
2596	System.exe
1600	System.exe
668	System.exe
2784	System.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\27d1bcfc3c54e0	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2744	schtasks.exe
2812	schtasks.exe
2616	schtasks.exe
3064	schtasks.exe
1632	schtasks.exe
484	schtasks.exe
2800	schtasks.exe
2844	schtasks.exe
2856	schtasks.exe
2832	schtasks.exe
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
2688	powershell.exe
2660	powershell.exe
2736	powershell.exe
2336	powershell.exe
2344	powershell.exe
2620	powershell.exe
2612	powershell.exe
1980	powershell.exe
2628	powershell.exe
2384	powershell.exe
2212	powershell.exe
2652	powershell.exe
2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
2616	powershell.exe
2884	powershell.exe
2780	powershell.exe
2632	powershell.exe
2656	powershell.exe
2664	powershell.exe
2900	powershell.exe
788	powershell.exe
2728	powershell.exe
2636	powershell.exe
1792	powershell.exe
2840	powershell.exe
1920	System.exe
2904	System.exe
2256	System.exe
1788	System.exe
2700	System.exe
1416	System.exe
2276	System.exe
2596	System.exe
1600	System.exe
668	System.exe
2784	System.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1920	System.exe
Token: SeDebugPrivilege	2904	System.exe
Token: SeDebugPrivilege	2256	System.exe
Token: SeDebugPrivilege	1788	System.exe
Token: SeDebugPrivilege	2700	System.exe
Token: SeDebugPrivilege	1416	System.exe
Token: SeDebugPrivilege	2276	System.exe
Token: SeDebugPrivilege	2596	System.exe
Token: SeDebugPrivilege	1600	System.exe
Token: SeDebugPrivilege	668	System.exe
Token: SeDebugPrivilege	2784	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1980	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	38
PID 2552 wrote to memory of 1980	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	38
PID 2552 wrote to memory of 1980	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	38
PID 2552 wrote to memory of 2612	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	39
PID 2552 wrote to memory of 2612	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	39
PID 2552 wrote to memory of 2612	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	39
PID 2552 wrote to memory of 2620	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	40
PID 2552 wrote to memory of 2620	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	40
PID 2552 wrote to memory of 2620	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	40
PID 2552 wrote to memory of 2628	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	41
PID 2552 wrote to memory of 2628	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	41
PID 2552 wrote to memory of 2628	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	41
PID 2552 wrote to memory of 2660	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	42
PID 2552 wrote to memory of 2660	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	42
PID 2552 wrote to memory of 2660	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	42
PID 2552 wrote to memory of 2688	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	43
PID 2552 wrote to memory of 2688	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	43
PID 2552 wrote to memory of 2688	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	43
PID 2552 wrote to memory of 2736	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	44
PID 2552 wrote to memory of 2736	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	44
PID 2552 wrote to memory of 2736	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	44
PID 2552 wrote to memory of 2384	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	45
PID 2552 wrote to memory of 2384	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	45
PID 2552 wrote to memory of 2384	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	45
PID 2552 wrote to memory of 2336	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	46
PID 2552 wrote to memory of 2336	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	46
PID 2552 wrote to memory of 2336	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	46
PID 2552 wrote to memory of 2344	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	47
PID 2552 wrote to memory of 2344	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	47
PID 2552 wrote to memory of 2344	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	47
PID 2552 wrote to memory of 2652	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	48
PID 2552 wrote to memory of 2652	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	48
PID 2552 wrote to memory of 2652	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	48
PID 2552 wrote to memory of 2212	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	49
PID 2552 wrote to memory of 2212	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	49
PID 2552 wrote to memory of 2212	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	49
PID 2552 wrote to memory of 2716	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	62
PID 2552 wrote to memory of 2716	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	62
PID 2552 wrote to memory of 2716	2552	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	62
PID 2716 wrote to memory of 2440	2716	cmd.exe	64
PID 2716 wrote to memory of 2440	2716	cmd.exe	64
PID 2716 wrote to memory of 2440	2716	cmd.exe	64
PID 2716 wrote to memory of 2236	2716	cmd.exe	65
PID 2716 wrote to memory of 2236	2716	cmd.exe	65
PID 2716 wrote to memory of 2236	2716	cmd.exe	65
PID 2236 wrote to memory of 2884	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	72
PID 2236 wrote to memory of 2884	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	72
PID 2236 wrote to memory of 2884	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	72
PID 2236 wrote to memory of 2636	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	73
PID 2236 wrote to memory of 2636	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	73
PID 2236 wrote to memory of 2636	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	73
PID 2236 wrote to memory of 2840	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	74
PID 2236 wrote to memory of 2840	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	74
PID 2236 wrote to memory of 2840	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	74
PID 2236 wrote to memory of 2900	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	76
PID 2236 wrote to memory of 2900	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	76
PID 2236 wrote to memory of 2900	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	76
PID 2236 wrote to memory of 2616	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	77
PID 2236 wrote to memory of 2616	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	77
PID 2236 wrote to memory of 2616	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	77
PID 2236 wrote to memory of 2632	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	78
PID 2236 wrote to memory of 2632	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	78
PID 2236 wrote to memory of 2632	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	78
PID 2236 wrote to memory of 788	2236	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe	79

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
"C:\Users\Admin\AppData\Local\Temp\3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe
    "C:\Users\Admin\AppData\Local\Temp\3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
      "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf1c6c69-6313-475e-b3d1-6a526b04ce64.vbs"
        5⤵
        
        PID:904
      - C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c9c12d-a25e-4449-98e7-aa8d36d507b2.vbs"
        7⤵
        
        PID:3028
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a908ba3-6569-4812-be72-b68d616d3e2e.vbs"
        9⤵
        
        PID:2952
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5787db1c-fa75-4d3e-bf60-eaa831e81a4b.vbs"
        11⤵
        
        PID:1196
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cfd38b8-2d70-41a5-988f-0ba9c074c203.vbs"
        13⤵
        
        PID:2716
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04fac11f-90fb-43e1-b5fa-70c36911c968.vbs"
        15⤵
        
        PID:2012
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07b4f841-e2a0-4f1a-b0fb-fa3272bfb5ff.vbs"
        17⤵
        
        PID:1528
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\104049cc-8bbe-44dc-bf9e-c0f31a13c44e.vbs"
        19⤵
        
        PID:1940
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fd660a3-46d6-40e6-bb8e-edc7de3e86d2.vbs"
        21⤵
        
        PID:1936
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fc05e7e-6338-43ab-bb7a-91442bf537cd.vbs"
        23⤵
        
        PID:2628
        
        C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f45d340-ae0b-402e-aefd-48b5ad76a3f5.vbs"
        25⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f062e53-b9f6-4da4-b32d-72e60512439f.vbs"
        25⤵
        
        PID:328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2efa9a-1717-40a9-a93b-ecd89b0fe3a4.vbs"
        23⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa679ba-64c5-4070-b38b-d32716a7db5e.vbs"
        21⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b899ae29-7be7-465f-b1c4-9515ed735e60.vbs"
        19⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a78571a-a3f2-4c38-9f59-63e8194e7cf7.vbs"
        17⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c48b0a80-ad81-495e-bd0f-a79951e1b6f6.vbs"
        15⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f6db2e9-7162-4891-85d6-9ce8179ed756.vbs"
        13⤵
        
        PID:496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a99fdc38-66c7-464e-895b-208da1f89138.vbs"
        11⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1393fb-c921-4c00-8d97-1ab0a785f0a9.vbs"
        9⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e75b48c-47b6-445d-b659-a37ed6308a79.vbs"
        7⤵
        
        PID:2864
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36001f12-f807-4303-a60d-925ae11c60a0.vbs"
        5⤵
        
        PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\smss.exe

Filesize
4.9MB

MD5
4e514931905d8a3ba2ffced857ab81db

SHA1
7358c9e22b7544d30ba34f86fe7e37e58a263285

SHA256
3278ee8c0554aef9bdf54cfffb50dd3e7e1b600f50d3f94650b865928fd47c0e

SHA512
b650c79e5c5975d0b819e155ac8caae5a7e4fcdc86aea82357af855a4fcd458d019c920b208788d38b0d31cc967a6775eda23aeb7cef03b4fb5653fa211d4e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\04fac11f-90fb-43e1-b5fa-70c36911c968.vbs

Filesize
743B

MD5
be1967db82012ac27f6c180e55d54ea4

SHA1
9c16f6f1ae8b5926362226b3dd9a2e7949d3dbb1

SHA256
c64def024fb201e5ceb08ccd348b38f1d9be1d7dad672f43bacb11507d128d15

SHA512
36b4a1e80f62235e56d344c930582784e5ea923ae847133546d2b164f982668b43dd9d8d84c2802c9a9d59b0f4da90fbf412eca075a280fb0dbe6e6ee8a4ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\07b4f841-e2a0-4f1a-b0fb-fa3272bfb5ff.vbs

Filesize
743B

MD5
cb2b0917698b4a5daad2490981c65e55

SHA1
0f107fe963d0911f877cea9ae2a5fda6bef8eb68

SHA256
9a9e6c0ff6ffcdf45108e9fb19301365195ed3610c2cd7c2dc73b72554db83bf

SHA512
5765d6024b7647df33bdf6cb2f2c38c826f988cdbbd384c483c73bf6d0e9066b4d433ad3ff4f649fb420c005aa6f8a1c15301201b68be3d454c55f1a6aa2d08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a908ba3-6569-4812-be72-b68d616d3e2e.vbs

Filesize
743B

MD5
606bcf3c1c5650a93390835621b7e466

SHA1
8cbf4ef385174007058cd0f82080938613d29c38

SHA256
a7ade61564e2f55832ab9b29f9570e5d05c36678fb4926805df9cfbdd729e511

SHA512
8ab44fde866809ddf7f6e5e8c65e0213b87c68f1103c264732e8984ca1c0c611156005c4700959da0462d4d77c7e985bbd16973fc6f3893c4d08f113809c571b

Download Submit
C:\Users\Admin\AppData\Local\Temp\104049cc-8bbe-44dc-bf9e-c0f31a13c44e.vbs

Filesize
743B

MD5
2da2d32ef694fc670b018087853e2694

SHA1
de928be9e02a6da1c6560b76548b7fc736f600d8

SHA256
f9af9512b0b34a6372f2af38518b9d284716adad1fb21ea39dd99ef4b1259ba7

SHA512
baeb70580f7bebe75c610baa8b54d5ef04c252a3bc31caa519390efd089bff087486a42088925d83c563a42f6bc91ff629d67bf73d1b2e033e9631f7c4e67a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\36001f12-f807-4303-a60d-925ae11c60a0.vbs

Filesize
519B

MD5
55738e5a81625afaa07b8f81248bc15b

SHA1
991115deac21e450f8485886eb9771a42790e56c

SHA256
dd4aa856beb5da105af4fdb334a2b12ae067544ad7e523dff27ab5030d90daff

SHA512
2ca9ad6af8c90e9185f61347a9f22b668b0e56bd6dfa6ae4a116b4d8b99c03328fbc9d97a9f15f9d1c6ea575b5e3f187156e0e554097009ee11299344a3ab6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cfd38b8-2d70-41a5-988f-0ba9c074c203.vbs

Filesize
743B

MD5
822e48bb58e159512ddce96a529840a7

SHA1
53560131e46840222fbf5d020a6fc080f33cd798

SHA256
e3928d6333c46bdf59bac52dc97d75dc7a24119addc64cee5491d44eae9a6bc4

SHA512
3b8812b57a019648b188fb7f28950ca0bed8289c4f2b2372b6390046041ba09c4135a93020a7091db2eaaabc0ade6549b055484504b1992937af8e12915a91ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\51c9c12d-a25e-4449-98e7-aa8d36d507b2.vbs

Filesize
743B

MD5
c1c50bf6e96648acd04ba33cc1d6378e

SHA1
e3f24555e0778a1122c465c975790f9cead0a7e6

SHA256
6df92ca7dfcce99248ae445e0f61a154d475a4a3b532e0907b9d51c60ec557c2

SHA512
f9f0d70993afb6cc5d2be6375336be18d1aa3f0e86f08dcbd345e3520748509ac17a0499f337cfe41c34ee3176d896e8a4034cabf0fd933e6dcff0af0d66942b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5787db1c-fa75-4d3e-bf60-eaa831e81a4b.vbs

Filesize
743B

MD5
9e16cece361715f3df9430a7d1dc7fed

SHA1
f0831af2dfb5e3a00689d494a6b6c2e5f676a67e

SHA256
3b97ce188d349d7445dec23cf57923e8e7cca8f22b42c89c0d82d587f9c700be

SHA512
6cfeea96bfeb1955ac95fe4c766945e2168f18a7b9038d96326a0a267caa83edbdf5d4234d1fe4d72196490dd1b86bb8abf0fa8ebe0e6e63c9d11363ae854099

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat

Filesize
267B

MD5
a2cc07cc541663bb0ae97658852b9a83

SHA1
b7f06a36bf7b295c5745493ee404045e76f5d6d6

SHA256
6003d9b52e73e42c91a887009d30fc8d97921b9201b8844f2b83be74858552cc

SHA512
ee150259ed3508229f288984b932da8c126d1ed63384271d5483cedaaa09c9d691b73449e9236c17fa481044b24114566cf84299a37bfe1b7db3efd79d750f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fc05e7e-6338-43ab-bb7a-91442bf537cd.vbs

Filesize
742B

MD5
ae6ff0eb8496321e617809b86cf329ce

SHA1
ca95513a2069664c10cfc48fb1272d8223eff7f2

SHA256
6b8ade311fa35864ca65af9b3b5d500fc60f4b7f136e7bf5e06d0f203025b492

SHA512
2926b6084b6e3787e6960f33636fafcbf912d2ad68ba7025f1a87818a657f9582c4ab86af57a7c4ffbc472edfbdb860192ea219e658d32dc61ac03a204303112

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fd660a3-46d6-40e6-bb8e-edc7de3e86d2.vbs

Filesize
743B

MD5
25e01b1dbfc623b277734bf2932b9871

SHA1
334d203b4e2322332e8451a055d8ebbf8db75b06

SHA256
c6db7bb4b208827031b5223325a0c3b4dcd57109a158b87045bab0ac0e3669ca

SHA512
4c8ee8c40e830003b38b719bcb1c2305b4a4e0b702426dfb25a47291c811f379ca04f521afaae7fe10059f069df1e5ed146e9833405681c991a216d553d8441f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1c6c69-6313-475e-b3d1-6a526b04ce64.vbs

Filesize
743B

MD5
0243d2509cae642454c23842e0508721

SHA1
d837ba2d36ab87772a6819ccfe18ea52e5e3bb80

SHA256
77d0c507717e4be1d6f497c38f308d42c50515ffff659a5530505db3d710ebed

SHA512
1380c27eb94d837028fc7f7445ec89ad53c7ebb7e01cd096431fbbc71d5617543d00ffe3592cdc10e6568a0bdcc79761e904bca1d1c0375759dfc8cdea1732d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp667.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0a86ff96e0bb90c7ac310ce8b8f294cf

SHA1
6d02c4f46700aa25f40a8bd4c18140ab7bba4780

SHA256
2edf26fa272324aaf6e66963c53d7422f7cd6c8d7a4c9bbe52f29008147d4863

SHA512
2730335b41c1db49b4469046d98e9df3f8029a9eb790ae649b3640a7ff5e412d342a4175e06b2be1fc546f82e50ac1a02ffcd0e37d31e0a447490ca17be80e8d

Download Submit
memory/668-318-0x00000000009B0000-0x0000000000EA4000-memory.dmp

Filesize
5.0MB

Download
memory/1416-258-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/1416-259-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1600-303-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/1788-228-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/1920-179-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/2236-108-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download
memory/2256-212-0x0000000001250000-0x0000000001744000-memory.dmp

Filesize
5.0MB

Download
memory/2256-213-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2552-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2552-15-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2552-1-0x0000000000110000-0x0000000000604000-memory.dmp

Filesize
5.0MB

Download
memory/2552-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-10-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2552-16-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/2552-14-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2552-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2552-106-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-13-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/2552-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2552-11-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2552-3-0x000000001B630000-0x000000001B75E000-memory.dmp

Filesize
1.2MB

Download
memory/2552-4-0x0000000000980000-0x000000000099C000-memory.dmp

Filesize
112KB

Download
memory/2552-5-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2552-8-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/2552-7-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/2552-6-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2596-288-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/2616-139-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/2616-129-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2688-81-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/2688-68-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2700-243-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2784-333-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download