dcrat | 3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bb

Analysis

max time kernel
119s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Size

1.5MB
MD5

e0c65dbfbfc5260e19c57ecb844449d0
SHA1

dd9f1a77331257afe3869d2de63a4e14b7797632
SHA256

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bb
SHA512

6ec5998f4d56f7c179b6e150b38c1b83639dd73ce12e7f137f3673278023d4155db2f4d204f216ad1e99ad1a7d2f793a15ff63142945206efe2ec261ab45c956
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeschtasks.exeschtasks.exe

pid	process
2768	schtasks.exe
2576	schtasks.exe
2528	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\msdfmap\7a0fd90576e088	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2536	schtasks.exe
2832	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Windows\\en-US\\dllhost.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Windows\\en-US\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Windows\\en-US\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\System.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Windows\\en-US\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\System.exe\", \"C:\\Documents and Settings\\WMIADAP.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2760	schtasks.exe

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2260 powershell.exe
2812 powershell.exe
1680 powershell.exe
2004 powershell.exe
1940 powershell.exe
1980 powershell.exe

pid	process
2260	powershell.exe
2812	powershell.exe
1680	powershell.exe
2004	powershell.exe
1940	powershell.exe
1980	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Executes dropped EXE 12 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
1400	dllhost.exe
2952	dllhost.exe
2816	dllhost.exe
1632	dllhost.exe
760	dllhost.exe
2128	dllhost.exe
2188	dllhost.exe
2544	dllhost.exe
1724	dllhost.exe
2780	dllhost.exe
2884	dllhost.exe
2652	dllhost.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\en-US\\dllhost.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\System.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Documents and Settings\\WMIADAP.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\msdfmap\\explorer.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\en-US\\dllhost.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\System.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Documents and Settings\\WMIADAP.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\msdfmap\\explorer.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dllhost.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in Program Files directory 8 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\27d1bcfc3c54e0	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE801.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Program Files\Uninstall Information\dllhost.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCXEA72.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Drops file in Windows directory 8 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	process
File opened for modification	C:\Windows\msdfmap\explorer.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\msdfmap\7a0fd90576e088	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\en-US\dllhost.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\en-US\5940a34987c991	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Windows\msdfmap\RCXE3FA.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Windows\en-US\RCXE5FE.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Windows\en-US\dllhost.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\msdfmap\explorer.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2536 schtasks.exe
2832 schtasks.exe
2768 schtasks.exe
2576 schtasks.exe
2528 schtasks.exe

pid	process
2536	schtasks.exe
2832	schtasks.exe
2768	schtasks.exe
2576	schtasks.exe
2528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exe

pid	process
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
2812	powershell.exe
1980	powershell.exe
1940	powershell.exe
2004	powershell.exe
2260	powershell.exe
1680	powershell.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
1400	dllhost.exe
2952	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exedllhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Token: SeDebugPrivilege	1400	dllhost.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2952	dllhost.exe
Token: SeDebugPrivilege	2816	dllhost.exe
Token: SeDebugPrivilege	1632	dllhost.exe
Token: SeDebugPrivilege	760	dllhost.exe
Token: SeDebugPrivilege	2128	dllhost.exe
Token: SeDebugPrivilege	2188	dllhost.exe
Token: SeDebugPrivilege	2544	dllhost.exe
Token: SeDebugPrivilege	1724	dllhost.exe
Token: SeDebugPrivilege	2780	dllhost.exe
Token: SeDebugPrivilege	2884	dllhost.exe
Token: SeDebugPrivilege	2652	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exe

description	pid	process	target process
PID 2616 wrote to memory of 2260	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2260	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2260	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2812	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2812	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2812	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1680	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1680	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1680	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2004	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2004	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 2004	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1940	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1940	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1940	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1980	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1980	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1980	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	powershell.exe
PID 2616 wrote to memory of 1400	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	dllhost.exe
PID 2616 wrote to memory of 1400	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	dllhost.exe
PID 2616 wrote to memory of 1400	2616	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	dllhost.exe
PID 1400 wrote to memory of 2500	1400	dllhost.exe	WScript.exe
PID 1400 wrote to memory of 2500	1400	dllhost.exe	WScript.exe
PID 1400 wrote to memory of 2500	1400	dllhost.exe	WScript.exe
PID 1400 wrote to memory of 3024	1400	dllhost.exe	WScript.exe
PID 1400 wrote to memory of 3024	1400	dllhost.exe	WScript.exe
PID 1400 wrote to memory of 3024	1400	dllhost.exe	WScript.exe
PID 2500 wrote to memory of 2952	2500	WScript.exe	dllhost.exe
PID 2500 wrote to memory of 2952	2500	WScript.exe	dllhost.exe
PID 2500 wrote to memory of 2952	2500	WScript.exe	dllhost.exe
PID 2952 wrote to memory of 2464	2952	dllhost.exe	WScript.exe
PID 2952 wrote to memory of 2464	2952	dllhost.exe	WScript.exe
PID 2952 wrote to memory of 2464	2952	dllhost.exe	WScript.exe
PID 2952 wrote to memory of 2636	2952	dllhost.exe	WScript.exe
PID 2952 wrote to memory of 2636	2952	dllhost.exe	WScript.exe
PID 2952 wrote to memory of 2636	2952	dllhost.exe	WScript.exe
PID 2464 wrote to memory of 2816	2464	WScript.exe	dllhost.exe
PID 2464 wrote to memory of 2816	2464	WScript.exe	dllhost.exe
PID 2464 wrote to memory of 2816	2464	WScript.exe	dllhost.exe
PID 2816 wrote to memory of 2744	2816	dllhost.exe	WScript.exe
PID 2816 wrote to memory of 2744	2816	dllhost.exe	WScript.exe
PID 2816 wrote to memory of 2744	2816	dllhost.exe	WScript.exe
PID 2816 wrote to memory of 2996	2816	dllhost.exe	WScript.exe
PID 2816 wrote to memory of 2996	2816	dllhost.exe	WScript.exe
PID 2816 wrote to memory of 2996	2816	dllhost.exe	WScript.exe
PID 2744 wrote to memory of 1632	2744	WScript.exe	dllhost.exe
PID 2744 wrote to memory of 1632	2744	WScript.exe	dllhost.exe
PID 2744 wrote to memory of 1632	2744	WScript.exe	dllhost.exe
PID 1632 wrote to memory of 2020	1632	dllhost.exe	WScript.exe
PID 1632 wrote to memory of 2020	1632	dllhost.exe	WScript.exe
PID 1632 wrote to memory of 2020	1632	dllhost.exe	WScript.exe
PID 1632 wrote to memory of 2516	1632	dllhost.exe	WScript.exe
PID 1632 wrote to memory of 2516	1632	dllhost.exe	WScript.exe
PID 1632 wrote to memory of 2516	1632	dllhost.exe	WScript.exe
PID 2020 wrote to memory of 760	2020	WScript.exe	dllhost.exe
PID 2020 wrote to memory of 760	2020	WScript.exe	dllhost.exe
PID 2020 wrote to memory of 760	2020	WScript.exe	dllhost.exe
PID 760 wrote to memory of 2716	760	dllhost.exe	WScript.exe
PID 760 wrote to memory of 2716	760	dllhost.exe	WScript.exe
PID 760 wrote to memory of 2716	760	dllhost.exe	WScript.exe
PID 760 wrote to memory of 2004	760	dllhost.exe	WScript.exe
PID 760 wrote to memory of 2004	760	dllhost.exe	WScript.exe
PID 760 wrote to memory of 2004	760	dllhost.exe	WScript.exe
PID 2716 wrote to memory of 2128	2716	WScript.exe	dllhost.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
"C:\Users\Admin\AppData\Local\Temp\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\msdfmap\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\en-US\dllhost.exe
  "C:\Windows\en-US\dllhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1400
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78178f9d-b45e-476b-9a29-39847747092f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\en-US\dllhost.exe
      C:\Windows\en-US\dllhost.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa01a2e-8272-49f6-b7ac-8a7cc9b062a7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426b8703-3f65-438f-9ed3-1863e983c95e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f96a0551-8dcb-4854-9628-9c407565d08b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01f5ea84-71ad-437b-9ae5-735acacea6a6.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df07cf00-7d82-4d25-9ec0-6401208bf17c.vbs"
        13⤵
        
        PID:3048
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d9cf85-891a-4730-8bf2-aba9656e6711.vbs"
        15⤵
        
        PID:1748
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6013b71f-41a4-4078-ad9f-c4bb27077250.vbs"
        17⤵
        
        PID:1996
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dce6baf-8a41-4178-be2a-3eab784d8444.vbs"
        19⤵
        
        PID:1660
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\128ed981-37e1-431c-93c1-56ef65f69e6d.vbs"
        21⤵
        
        PID:2340
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d0fb40-85d1-45ae-9413-f01aa1cbae54.vbs"
        23⤵
        
        PID:2836
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc678055-c3a8-4e80-9ed4-56a0f3268bda.vbs"
        25⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd82ce53-d3db-48b2-a49a-21dc1c863fe0.vbs"
        25⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4ebebcf-f7d1-4be6-8980-1eae2cc4c4e6.vbs"
        23⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\454a6eae-951f-43ee-aea3-242877f3c334.vbs"
        21⤵
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0890711c-f844-4cd6-a9a9-ceab9dacb34e.vbs"
        19⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e08393-7d4f-49da-ac1c-746bcfa610ca.vbs"
        17⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\855078ad-c3d2-42a5-9193-59fc04ad1407.vbs"
        15⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0809c9b-c9cb-4261-83c0-cdec35cf2ff7.vbs"
        13⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaaf5742-4857-4bd0-a0f3-688e2384b629.vbs"
        11⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f308a6a6-c95e-4840-90c0-582dc4685f69.vbs"
        9⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbcbb408-6dd2-43b3-a717-8cc6deb121d6.vbs"
        7⤵
        
        PID:2996
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5edccf9b-028a-484d-98a9-860b26f49173.vbs"
        5⤵
        
        PID:2636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4677df28-940a-4cf3-874f-6b357d29c921.vbs"
    3⤵
    PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\msdfmap\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Documents and Settings\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01f5ea84-71ad-437b-9ae5-735acacea6a6.vbs

Filesize
703B

MD5
8171fd6969cdf87477a64fcac95a08f0

SHA1
599ec38bf910b769887294b586034f314509eaaf

SHA256
3b1c6e18322d23072d000c84913f016f775f4a47c8b1a9a6bdb88814cbd497d4

SHA512
afa257868b4840bee7c03d65d5b280065ff11edd7e1aeed5db95a83fd1cb2877f33917a45ccae99a4c8172faa16e32efd85f8dbcd7af62781491b6f080c79a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\08d9cf85-891a-4730-8bf2-aba9656e6711.vbs

Filesize
704B

MD5
78c9ce10d09e9df6b8e9bc37490c6f61

SHA1
6d4615bc542e5bbd26d7f4de5d7b1809c01f59c8

SHA256
10f06eeb164889d9164fcc5d4ed03802eaa5e4b4c8796b55d997df331eb2e021

SHA512
da9856032549a2b84be710276987b6a6903e1827dc803b7ebdaca9c9190ed4302a9ad4b2dd91037b72f9b8aba633e4a7a92e5913576770f3e51df058f97cef5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dce6baf-8a41-4178-be2a-3eab784d8444.vbs

Filesize
704B

MD5
815e4a0a68d9221616350e6c489348a7

SHA1
0af9c5808d158e88bc0f9f00d7260ad8453b5e86

SHA256
b66f4465b18a206f2fcaf3355298945668d4a2c79505604ee746480e841ffeab

SHA512
3f35ed468ae4ae61bbf8c88a28519102ae334cb2a2e23c7e4c578505ed1d717c5a7e2d844e44d8c89e166616454b39790794fb2ce433647c56784cfaa749e413

Download Submit
C:\Users\Admin\AppData\Local\Temp\128ed981-37e1-431c-93c1-56ef65f69e6d.vbs

Filesize
704B

MD5
be3863b8edbf000664b09462fd084fdf

SHA1
8fe0eb17788f1d6b7dcada5f20cb17a1ee53f020

SHA256
31fe8fa9f7a2aea826da8e13c3380292fa4f2852b36539db810b818686e53ca6

SHA512
16fdb63415f897a79616e5316a9c5e66fe71e8695304d097537d68806e776215fa7db689ec01222a0fc28140180bbcd1f2e1b6fd3accb238f5f0c434b774dfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\426b8703-3f65-438f-9ed3-1863e983c95e.vbs

Filesize
704B

MD5
b7cae380d9806115467596f8f42cf05a

SHA1
343522866a84ebaf04374125e82e5111e2504503

SHA256
ae3faee56794525da3cda13e218b5a0b04da232a46126f7bb7fc7443b8857020

SHA512
2b4eefae7617678fc290ef9b70fe7447ae15858c1eaf3301d3f20b5183ff4172c2b2c24302bf90cf663de28edeb7982273c925ed7cc5d6853b4abf4f3c553aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4677df28-940a-4cf3-874f-6b357d29c921.vbs

Filesize
480B

MD5
09fe59b07fc9c2404536a76ee35cd430

SHA1
c1678205755e60ee6446bde32479bd796121afce

SHA256
81a0e2fce58356d4deb9d681676a38093e732427744c3da8375f99537bd30dac

SHA512
6b4019b20c47252fc111121b5903721ab9430636b5291b638a522b6b47264f2dadf47ef3907c6b17f4920a399c760c570fcb51b1dd1caafcb8c82eb38df5c4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\6013b71f-41a4-4078-ad9f-c4bb27077250.vbs

Filesize
704B

MD5
faf3aba3dd88585f2ef341fa08c7793f

SHA1
24e8d69dcff669b108933cc014ca2c6843d910d9

SHA256
8f357b7f8cafff68fe4b1d8a3b65d55502eb27a2ea744fcf54a95278c05edb08

SHA512
ec2c95f22685ff68e2dd2ade041c9399609d545cab5d8f24b0ec1bd31e932d467c00cdb83216ffaf7bacafbf223f3c7cd69f7823bb053dffb82dc5d38ff9bb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\78178f9d-b45e-476b-9a29-39847747092f.vbs

Filesize
704B

MD5
51f396f7578c4c5ccfb7536171d0632c

SHA1
7c7f6ef6269645f6811f59e7ab079f0f14bc611d

SHA256
89f4d30096e1ab4ce7b44d5cd14039b1328ee7b136ea67cf9e8bd4339cd8f4ef

SHA512
fd3cb557b011fccff9ffaf42fc8bebe9b9a49c7c019741bbac057e24e9d5b486efab4bf81f302c8144ebdb2bb03a9d79ea7eb33cdd1e1f994d14de4f099e8a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc678055-c3a8-4e80-9ed4-56a0f3268bda.vbs

Filesize
704B

MD5
451e4253a196edc5ca49045623882802

SHA1
655669e20c9769bef60b80ecbd6ff293809ad561

SHA256
81c72df15a868aa612d39c87951b4153c89aff37ede0809e13978063cb55d8a3

SHA512
2c597554ef12a3b1ff8b19b69e9748a973607c9d2e0f0cd3d2316511b2454cc243fbdbbec0e7989fa4cdb920923f0df2079ac749f867ff5b1043e423f7a374e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfa01a2e-8272-49f6-b7ac-8a7cc9b062a7.vbs

Filesize
704B

MD5
41800bdc2d724f5fd0ae16258ccd3eb7

SHA1
9d50f51acd20911a7fb0285aaa763fb9fbceadaf

SHA256
0acb7cba2172cd3fa1981bbb15a3e9cef2aaeee9d7531ede471791b7c240fc59

SHA512
860babdcace061a6001c00b673deec57cb6f2fbcab741603dfacb9595dcc9d10b0ef18c321974940c56da51d7f23ade731cc18f59ffa57d45cbcc06d0770c7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\df07cf00-7d82-4d25-9ec0-6401208bf17c.vbs

Filesize
704B

MD5
5fff28c41cef8815a50b3359b997dd5f

SHA1
ea2f59b1757dbe1fdda421289e8006c74b8cdf21

SHA256
0414f0f986c592bf0bd29f931b818f82548cbfaa6eab1c4235488000de3e44fa

SHA512
6a7a1062015b2ebf4640ed782bbb4ccd532d2f6aae54174b002b5baca3f794cd9564c3afabf5a09fe23fafc000e053c7546d6f30ca6d79de03247981f09d5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2d0fb40-85d1-45ae-9413-f01aa1cbae54.vbs

Filesize
704B

MD5
a52d4bc5b98b4923be25383a336d5c17

SHA1
af415c2860c1c2b90a4af43bf51e6dcbf670bd72

SHA256
cca24a0f940cebf130611431b4813457ec68db0f6d475bb04b9fdbf44acf99c4

SHA512
c632d9956d287deeaac2236ae262acad9f53a441d4a11a40abd0a45ae5a0809c7a410f5d5d40ab94188434716d304caaf1d71b4fb8a371b5723fbb56da73fac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f96a0551-8dcb-4854-9628-9c407565d08b.vbs

Filesize
704B

MD5
cf25f9a8f39b54312001e6fb049aeac1

SHA1
b72e38b0246632c807b9dc1f3093cedbd01fdc62

SHA256
13e60d336c97337a5248d3bf4be428ad705c64c3b7948ea831a42d47f4e38d9e

SHA512
276e778076cfabe166dcbc9da0b90b557ece8b1ec352b3cf05c3e2c331bdd2a82d11e70763e1dee4f296d504c26e8038d5d230dba6f6102d75d68ae9b8d0645a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWKWELQ70KU50YXPXYSF.temp

Filesize
7KB

MD5
667683056adc4a6e26ad0553c37a4d55

SHA1
27987d9230929f9b4fb3c979fdc04ab78ac9ea30

SHA256
c4ff9a363f08ae09a5fd26cf05eb073ecdae139bac73b34d626bdc0d30e08c14

SHA512
9c1fb40f69e57016e0c45b2c37163a70996c2d570c6f31d0fdb65d484177b22e5f01e211dc9cf9b48a1f49e7e21d4343b7c5828b20e31f794da7534df2d20065

Download Submit
C:\Users\WMIADAP.exe

Filesize
1.5MB

MD5
e0c65dbfbfc5260e19c57ecb844449d0

SHA1
dd9f1a77331257afe3869d2de63a4e14b7797632

SHA256
3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bb

SHA512
6ec5998f4d56f7c179b6e150b38c1b83639dd73ce12e7f137f3673278023d4155db2f4d204f216ad1e99ad1a7d2f793a15ff63142945206efe2ec261ab45c956

Download Submit
memory/1400-78-0x0000000000EA0000-0x000000000101E000-memory.dmp

Filesize
1.5MB

Download
memory/1400-110-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1632-146-0x00000000010D0000-0x000000000124E000-memory.dmp

Filesize
1.5MB

Download
memory/1940-98-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1980-99-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2616-11-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2616-12-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2616-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2616-43-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-14-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2616-21-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2616-20-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2616-18-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2616-111-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-17-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2616-13-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2616-15-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2616-1-0x00000000010F0000-0x000000000126E000-memory.dmp

Filesize
1.5MB

Download
memory/2616-24-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-10-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2616-16-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/2616-9-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2616-8-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2616-7-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2616-6-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2616-5-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2616-4-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2616-3-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2780-213-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2816-134-0x0000000000CF0000-0x0000000000E6E000-memory.dmp

Filesize
1.5MB

Download
memory/2952-122-0x0000000000020000-0x000000000019E000-memory.dmp

Filesize
1.5MB

Download