dcrat | d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Size

3.7MB
MD5

b0f05d80b12c67dc9d26fe6d4f0debd0
SHA1

9bf6fee145f08c3ea7d41e6f6755187e92f11978
SHA256

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
SHA512

19632526b95ea7435c05af10ceb74179e902201389c62476c7cd5281a5dea338283921166a2272cbe12caf58b2207b18b58834b5c2b1c17df87b2f83fc3824d9
SSDEEP

98304:UbF26GgA01Iz8pS1m+j/C7N2DXXrbpqto0:U1A6IIAY+j6pG/Yb

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2532	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.exereviewnet.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\MssurrogateBrowserDrivermonitor\reviewnet.exe	dcrat
behavioral2/memory/3008-17-0x00000000007D0000-0x0000000000B3A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.exeWScript.exereviewnet.execonhost.execonhost.execonhost.execonhost.execonhost.exed1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.execonhost.execonhost.execonhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	reviewnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 14 IoCs

Processes:

reviewnet.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

pid	process
3008	reviewnet.exe
2064	conhost.exe
1384	conhost.exe
1160	conhost.exe
4620	conhost.exe
1636	conhost.exe
1264	conhost.exe
2240	conhost.exe
1468	conhost.exe
4288	conhost.exe
3224	conhost.exe
788	conhost.exe
3912	conhost.exe
3440	conhost.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

conhost.execonhost.execonhost.execonhost.exereviewnet.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Drops file in Program Files directory 6 IoCs

Processes:

reviewnet.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\lsass.exe	reviewnet.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	reviewnet.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\Registry.exe	reviewnet.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\ee2ad38f3d4382	reviewnet.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe	reviewnet.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\56085415360792	reviewnet.exe

Drops file in Windows directory 6 IoCs

Processes:

reviewnet.exe

description	ioc	process
File created	C:\Windows\Web\4K\conhost.exe	reviewnet.exe
File created	C:\Windows\Web\4K\088424020bedd6	reviewnet.exe
File created	C:\Windows\IdentityCRL\INT\sppsvc.exe	reviewnet.exe
File created	C:\Windows\IdentityCRL\INT\0a1fd5f707cd16	reviewnet.exe
File created	C:\Windows\IME\RuntimeBroker.exe	reviewnet.exe
File created	C:\Windows\IME\9e8d7a4ca61bd9	reviewnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exeWScript.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

Processes:

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4064	schtasks.exe
3528	schtasks.exe
4168	schtasks.exe
4496	schtasks.exe
2324	schtasks.exe
5052	schtasks.exe
3532	schtasks.exe
1992	schtasks.exe
4900	schtasks.exe
4764	schtasks.exe
556	schtasks.exe
3096	schtasks.exe
4484	schtasks.exe
2792	schtasks.exe
724	schtasks.exe
1544	schtasks.exe
3564	schtasks.exe
4348	schtasks.exe
3856	schtasks.exe
5020	schtasks.exe
2448	schtasks.exe
4808	schtasks.exe
5060	schtasks.exe
232	schtasks.exe
1648	schtasks.exe
3036	schtasks.exe
1784	schtasks.exe
2680	schtasks.exe
3136	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

reviewnet.execonhost.exe

pid	process
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
3008	reviewnet.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe
2064	conhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

reviewnet.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	3008	reviewnet.exe
Token: SeDebugPrivilege	2064	conhost.exe
Token: SeDebugPrivilege	1384	conhost.exe
Token: SeDebugPrivilege	1160	conhost.exe
Token: SeDebugPrivilege	4620	conhost.exe
Token: SeDebugPrivilege	1636	conhost.exe
Token: SeDebugPrivilege	1264	conhost.exe
Token: SeDebugPrivilege	2240	conhost.exe
Token: SeDebugPrivilege	1468	conhost.exe
Token: SeDebugPrivilege	4288	conhost.exe
Token: SeDebugPrivilege	3224	conhost.exe
Token: SeDebugPrivilege	788	conhost.exe
Token: SeDebugPrivilege	3912	conhost.exe
Token: SeDebugPrivilege	3440	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exeWScript.execmd.exereviewnet.execonhost.exeWScript.execonhost.exeWScript.execonhost.exeWScript.execonhost.exeWScript.execonhost.exeWScript.execonhost.exeWScript.execonhost.exeWScript.execonhost.exeWScript.execonhost.exe

description	pid	process	target process
PID 2380 wrote to memory of 1832	2380	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	WScript.exe
PID 2380 wrote to memory of 1832	2380	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	WScript.exe
PID 2380 wrote to memory of 1832	2380	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	WScript.exe
PID 2380 wrote to memory of 644	2380	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	WScript.exe
PID 2380 wrote to memory of 644	2380	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	WScript.exe
PID 2380 wrote to memory of 644	2380	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	WScript.exe
PID 1832 wrote to memory of 1772	1832	WScript.exe	cmd.exe
PID 1832 wrote to memory of 1772	1832	WScript.exe	cmd.exe
PID 1832 wrote to memory of 1772	1832	WScript.exe	cmd.exe
PID 1772 wrote to memory of 3008	1772	cmd.exe	reviewnet.exe
PID 1772 wrote to memory of 3008	1772	cmd.exe	reviewnet.exe
PID 3008 wrote to memory of 2064	3008	reviewnet.exe	conhost.exe
PID 3008 wrote to memory of 2064	3008	reviewnet.exe	conhost.exe
PID 2064 wrote to memory of 2620	2064	conhost.exe	WScript.exe
PID 2064 wrote to memory of 2620	2064	conhost.exe	WScript.exe
PID 2064 wrote to memory of 752	2064	conhost.exe	WScript.exe
PID 2064 wrote to memory of 752	2064	conhost.exe	WScript.exe
PID 2620 wrote to memory of 1384	2620	WScript.exe	conhost.exe
PID 2620 wrote to memory of 1384	2620	WScript.exe	conhost.exe
PID 1384 wrote to memory of 4172	1384	conhost.exe	WScript.exe
PID 1384 wrote to memory of 4172	1384	conhost.exe	WScript.exe
PID 1384 wrote to memory of 3024	1384	conhost.exe	WScript.exe
PID 1384 wrote to memory of 3024	1384	conhost.exe	WScript.exe
PID 4172 wrote to memory of 1160	4172	WScript.exe	conhost.exe
PID 4172 wrote to memory of 1160	4172	WScript.exe	conhost.exe
PID 1160 wrote to memory of 4148	1160	conhost.exe	WScript.exe
PID 1160 wrote to memory of 4148	1160	conhost.exe	WScript.exe
PID 1160 wrote to memory of 1832	1160	conhost.exe	WScript.exe
PID 1160 wrote to memory of 1832	1160	conhost.exe	WScript.exe
PID 4148 wrote to memory of 4620	4148	WScript.exe	conhost.exe
PID 4148 wrote to memory of 4620	4148	WScript.exe	conhost.exe
PID 4620 wrote to memory of 1808	4620	conhost.exe	WScript.exe
PID 4620 wrote to memory of 1808	4620	conhost.exe	WScript.exe
PID 4620 wrote to memory of 3932	4620	conhost.exe	WScript.exe
PID 4620 wrote to memory of 3932	4620	conhost.exe	WScript.exe
PID 1808 wrote to memory of 1636	1808	WScript.exe	conhost.exe
PID 1808 wrote to memory of 1636	1808	WScript.exe	conhost.exe
PID 1636 wrote to memory of 4168	1636	conhost.exe	WScript.exe
PID 1636 wrote to memory of 4168	1636	conhost.exe	WScript.exe
PID 1636 wrote to memory of 3984	1636	conhost.exe	WScript.exe
PID 1636 wrote to memory of 3984	1636	conhost.exe	WScript.exe
PID 4168 wrote to memory of 1264	4168	WScript.exe	conhost.exe
PID 4168 wrote to memory of 1264	4168	WScript.exe	conhost.exe
PID 1264 wrote to memory of 3172	1264	conhost.exe	WScript.exe
PID 1264 wrote to memory of 3172	1264	conhost.exe	WScript.exe
PID 1264 wrote to memory of 1664	1264	conhost.exe	WScript.exe
PID 1264 wrote to memory of 1664	1264	conhost.exe	WScript.exe
PID 3172 wrote to memory of 2240	3172	WScript.exe	conhost.exe
PID 3172 wrote to memory of 2240	3172	WScript.exe	conhost.exe
PID 2240 wrote to memory of 1740	2240	conhost.exe	WScript.exe
PID 2240 wrote to memory of 1740	2240	conhost.exe	WScript.exe
PID 2240 wrote to memory of 2380	2240	conhost.exe	WScript.exe
PID 2240 wrote to memory of 2380	2240	conhost.exe	WScript.exe
PID 1740 wrote to memory of 1468	1740	WScript.exe	conhost.exe
PID 1740 wrote to memory of 1468	1740	WScript.exe	conhost.exe
PID 1468 wrote to memory of 3064	1468	conhost.exe	WScript.exe
PID 1468 wrote to memory of 3064	1468	conhost.exe	WScript.exe
PID 1468 wrote to memory of 4808	1468	conhost.exe	WScript.exe
PID 1468 wrote to memory of 4808	1468	conhost.exe	WScript.exe
PID 3064 wrote to memory of 4288	3064	WScript.exe	conhost.exe
PID 3064 wrote to memory of 4288	3064	WScript.exe	conhost.exe
PID 4288 wrote to memory of 2608	4288	conhost.exe	WScript.exe
PID 4288 wrote to memory of 2608	4288	conhost.exe	WScript.exe
PID 4288 wrote to memory of 856	4288	conhost.exe	WScript.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

conhost.exereviewnet.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
      "C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3008
    - - C:\Windows\Web\4K\conhost.exe
        
        "C:\Windows\Web\4K\conhost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1771903-65db-44d1-855d-af299cf4986c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31216dc-51b3-4244-b346-a75b19ae4d9d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e47ff35-c0c7-4432-b706-b76640cc059b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ca61eb5-bba8-485c-af83-fffa5d1ffd68.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a93697-f5f2-4e87-bd91-dcad4ff5d0df.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d840b29c-a5a8-420e-b289-351773612f3c.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5ac4ee1-4288-4474-8135-d7a49a9268e7.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d57887-8d33-4d5d-9b95-a89f4add18ad.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e4d80f4-566f-459b-a04c-f1ec9a6d0d80.vbs"
        22⤵
        
        PID:2608
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\161e54e5-fee7-43e2-bafa-82e7bc708fc6.vbs"
        24⤵
        
        PID:1040
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdba9aba-566a-4b55-88aa-30781d54f627.vbs"
        26⤵
        
        PID:5044
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b918aa2-c528-4e60-a78a-5e7c14c59ea1.vbs"
        28⤵
        
        PID:4992
        
        C:\Windows\Web\4K\conhost.exe
        
        C:\Windows\Web\4K\conhost.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53bbe95a-3176-4c21-802d-24ae3b04a114.vbs"
        30⤵
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07fe3305-303f-41c6-9838-1efb423575ad.vbs"
        30⤵
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303578c8-2f86-4c0c-ac0e-43bdf29a636d.vbs"
        28⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30979c5c-dd64-4f06-a43f-0b154dc4968f.vbs"
        26⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\941b97d4-c2e5-4e7a-9e56-bdd5212baa57.vbs"
        24⤵
        
        PID:4708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f2b0a6-a5c7-4cbf-85a5-6dd367d016c8.vbs"
        22⤵
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f9c966-04e7-4566-806f-e46f3314e527.vbs"
        20⤵
        
        PID:4808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b0f561-44d3-4b75-99ab-fe09ddf08d94.vbs"
        18⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b28c1a3f-7d38-4f5e-b174-22088aace88b.vbs"
        16⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cdc8b3-4d2c-4bbd-a165-5012e21c16ba.vbs"
        14⤵
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31a9ac9-626c-4cb3-9361-978baab814d0.vbs"
        12⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57af8dd9-bdb8-4cda-b19e-20c491f8e275.vbs"
        10⤵
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\593b0744-5941-4036-bc53-f3cdff9aa9a5.vbs"
        8⤵
        
        PID:3024
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7fa6e1c-408a-40cd-89da-b38c73ed88f2.vbs"
        6⤵
        
        PID:752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MssurrogateBrowserDrivermonitor\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MssurrogateBrowserDrivermonitor\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\4K\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Web\4K\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\4K\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MssurrogateBrowserDrivermonitor\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MssurrogateBrowserDrivermonitor\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MssurrogateBrowserDrivermonitor\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\MssurrogateBrowserDrivermonitor\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IME\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat

Filesize
50B

MD5
934b57a6b87ad62fbf72805fc7ed30d0

SHA1
04111b17e6b836077bca5c092dfd4e59657fbfae

SHA256
25bfd4297df8354c427f96c5569594300935745c03f15aa1e4097cff1be3f70d

SHA512
5737cbaa48b1c5804072681e58e8e9d55aa7d996614dd3ff6501afaea693aca3fe7275a811c7aad1bbb88057fea7a31a393cadf7c2761aeca32e1e1f83940b07

Download Submit
C:\MssurrogateBrowserDrivermonitor\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\MssurrogateBrowserDrivermonitor\reviewnet.exe

Filesize
3.4MB

MD5
7d995f38d429ff33eaf4ce89f60585f9

SHA1
160f3163b335110d718e98390add6ca7a110a8ca

SHA256
49877051396a67dc531bb04d9745c78820a04e21ab3a6071906739ef48098b68

SHA512
61cb35e8469cd396b8487ca31542d0f505179283aa7d645344f2de7ffa47cfda0013bdfa2c5b29edd16978bce9a90fe2795a62e3dd4b900d9db5431b2d81f887

Download Submit
C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe

Filesize
220B

MD5
b7946fc546ca743f534d88dddeee3f00

SHA1
668ed69a0b7a298e08a68e80161f7eeead3128a5

SHA256
8673980ed61a75db17016d3fe892f2c37ddc037f34032e2fd35626ed146d80d2

SHA512
7ee3cec4df1a0b2c5984ccf860a004dcaa3c3fa258370edabb50ccd3f92a8d3ab8daf1af1f5087a67a24bf285a34b040f36d7673f1f8e413dc931a201967712a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d57887-8d33-4d5d-9b95-a89f4add18ad.vbs

Filesize
705B

MD5
3388a5b8a33afa8ba677d8aac07c7908

SHA1
8b31e136cef641ea2696f367cc58ccd61b69aeec

SHA256
716d4e06b665360aa95a00e28b07a252e353b0763c3eb379e9b2c9ad5da1370d

SHA512
4eb80d03f3240aa06485aac31ebe17e0117ba0a78f4a812c3cb5d0ad1d47ddb90496ca2ccabc8d0b1b18d4ddf8d81a2747f29f1835d5fa4821ac0ccb9250ee64

Download Submit
C:\Users\Admin\AppData\Local\Temp\161e54e5-fee7-43e2-bafa-82e7bc708fc6.vbs

Filesize
705B

MD5
cab233266569986fbea6e4f14ae9c678

SHA1
0eacf604482ac47b16906ded4f4e860f4d5f33c3

SHA256
2915c65c9f311352424dfb61fb8fcb7947d63f8aba631be2ff80191b7f9acc10

SHA512
af2b9790a44cf48312311a92a1670170de34004e940148d40be0aa7e55cce0ce6ec6e8d33c544a8df63b87fadac18a3f68beae53622ef3dd5fc09dedf4d64135

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e47ff35-c0c7-4432-b706-b76640cc059b.vbs

Filesize
705B

MD5
a73a765a9c40ab587bb3ccac5718b454

SHA1
dd9222f8dcc824ea4736de7e53ddf46ca78fe5e6

SHA256
bad3d215dabafc7443c36fcf7944e27dbda4b8e2f7397aef616eb66ac0560f35

SHA512
116a2d67a50f11e9becede7b5ec5f8a9ffdf4829b0227dcc0127a420e85d6f0ec0cdff00dc3126f4162899b7d04f8e699f21b49a5a0068918978ab56604c1a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e4d80f4-566f-459b-a04c-f1ec9a6d0d80.vbs

Filesize
705B

MD5
2e72c91c5e1b0b90e0b3bbc6e8b69d21

SHA1
751a18db32073f0e994455c65176b202f7ea4dd9

SHA256
d05969fec349ec1feb712f29ac2e1f6c1df5223abd9f99ab0aec18160d46df4b

SHA512
54125a512c5ffd00f9a85bacb6f89150c1b5f2d43db00fd14a23f61cd570850302fa1b9a4b8d5bf4fb96f2d0cb86e84c8710554a168624969c21e99d246b909a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ca61eb5-bba8-485c-af83-fffa5d1ffd68.vbs

Filesize
705B

MD5
77eccecb583441cedc1fcec43533a15b

SHA1
83d1b2d6a638813547d8d8c83ea54912225edf40

SHA256
a1a98d1df130523edd376d3f9dd0ac937e710f553724f8fbaad90df4b5d6511d

SHA512
059bb935b5d727fa70d8263cc30eb359ef4d2c186e106a49e4ed4bde1680634075e11498a789188b766770a9afdd4a34fe7bc5dc2f2fc01a18f51089203a7e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\53bbe95a-3176-4c21-802d-24ae3b04a114.vbs

Filesize
705B

MD5
6460cb1e9460811112d0109a79069074

SHA1
43413aa39303301809b4058074c11d3130a450e6

SHA256
cc18b7e384479722e621ad937a355b5b1c854e8e9938ee19ef86923e5200322f

SHA512
a924088612a4df3144e84f8456c05c67c2b136ea4ebb821327b9bd27b1a86c509b4fd564a52bedd1aa2106ede23b8034435546f51260b75a7de6e778d2b5209d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b918aa2-c528-4e60-a78a-5e7c14c59ea1.vbs

Filesize
705B

MD5
edf39eb0abb4542943ea6fbe7451206f

SHA1
3e927f2d7b9e0ffa6815ee9f7af295618a672265

SHA256
016d5e227f1e1ab208d4ad8515505886eba470dc69c64ea6ebaf6e8e4108ce6d

SHA512
6067744530614fda6fe47859dc084cbdff4243a36c55b7a564f7f7a22f1e475156acdb7d9ac8b3479f6ceb38f1788cccc0d909184235b6dee73478bf45a9215b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a31216dc-51b3-4244-b346-a75b19ae4d9d.vbs

Filesize
705B

MD5
50f2a4baf5341179ef6467f1c97f43b0

SHA1
389fbc0a87951b72eba0e4d8b1c3eb92d8f7480a

SHA256
8711a551995fe9a6af6020f535ba1501efd7bb186ff7a1cd370b0a4322790f0d

SHA512
482035a26be45d896db812306bf408009773ca7f6401b62bb72236ce0fe3869c3dc7c4dec6a148c8896dd0c9116515fe4e730f31a486e22a6f6a55dec4d28734

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5ac4ee1-4288-4474-8135-d7a49a9268e7.vbs

Filesize
705B

MD5
dffbb094c6205a958e98638b83d8c207

SHA1
c8078dc54036ddaee025f6447ba36cefd405c69b

SHA256
2943da067e5c4bda6e7e057a3c8bc6cd4b257e66ba77f9b535de9fe68d25fd28

SHA512
f896cb661736948e5352ce7874a6ee89cf7e7a23c2a92c9a6769ce23c8e7e9e26c9a443ffdb33cf526b9b5e5558039ebe7a96fee3130e8efba2c1cfb7b44dba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7fa6e1c-408a-40cd-89da-b38c73ed88f2.vbs

Filesize
481B

MD5
bd14c78344e05ea232a9825644a1b989

SHA1
5db5c7797feb55276267401758d9b9a7485ff15e

SHA256
8218e1e83446a383cfa0f2ecb120bd33e31190562238f7186ed1c4950ccb7d67

SHA512
5157e29af15bd8d96d4d3046d94c380df87f61877faccaf04abd120a0e2493d65a964424a0c23873a6856799ec8dcc76a3b86bb2b81816706f11c96549c589f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdba9aba-566a-4b55-88aa-30781d54f627.vbs

Filesize
704B

MD5
8a223b331f9e0ebd10cf32bff25d51ef

SHA1
a0fe16e80644c7ffe9808f71b69fca858a25b48d

SHA256
6cfd924861a2c6758e03adb75c01523f4871bc20feecbe17e1077a9dd18476a4

SHA512
3713b42a6c6dcb3b4e22fa4504ee5a569a59544a23295b51bbf1c87cc9d66645f3d509c4a88e59b56d096f9999d59a955d278bc68ee9f84f6a1c433c535db8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1771903-65db-44d1-855d-af299cf4986c.vbs

Filesize
705B

MD5
a87618932fed6050c3e43e16a8126888

SHA1
d977d5d170f08c418eaf9bde8d36588b451c1c34

SHA256
b6c62a94c529a9f81d801111b23892d5bf9139ae90bd2d11b434cd18e1012a1f

SHA512
31740a2c1d2de6bce8cc7bc89d43165be907d2ab4b50cba9fc7470029512460879464862323265e4f9adf818eb3edfb10a42b673bdc17fd6d4bb3cb4160d66fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3a93697-f5f2-4e87-bd91-dcad4ff5d0df.vbs

Filesize
705B

MD5
f78007f058d888beacdb9b49e2e88ab3

SHA1
ce4c054c1883a9632fdbbdc63a0a7ffa97c72aca

SHA256
b26dd5d64e2095a43cf2a328014e90df96014c6d2bfdc2a69ce8430b24543cff

SHA512
b32003a2bfa0ad4dac5671e5bccc28e954402778a7fa944a170449f1f607002132f86cef43aa67567e8bfa354aa162a37f93815d23c1a062824cac1fc0ded9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d840b29c-a5a8-420e-b289-351773612f3c.vbs

Filesize
705B

MD5
dd2958bde3e765733d77d49aafd7aac6

SHA1
a4556f9af99b20af03034f534a47a5c78aed0853

SHA256
e1379177aaecc697ccbdd459d82d4fa21bd72e225712e1c6aeb48dcf2ecede50

SHA512
4873b2a89fbe4ee69b18bfc309aa2984f65c3331206bc10fed954b91a542a2773f8e3e530c4d48186516e8e64dac2ac6ea57476ca11a988c7d48d00b4ffc2a8d

Download Submit
memory/788-205-0x000000001B590000-0x000000001B5A2000-memory.dmp

Filesize
72KB

Download
memory/1160-110-0x0000000002B90000-0x0000000002BA2000-memory.dmp

Filesize
72KB

Download
memory/1468-169-0x0000000003270000-0x0000000003282000-memory.dmp

Filesize
72KB

Download
memory/2064-86-0x000000001C660000-0x000000001C6B6000-memory.dmp

Filesize
344KB

Download
memory/2240-156-0x0000000003120000-0x0000000003132000-memory.dmp

Filesize
72KB

Download
memory/2240-157-0x0000000003290000-0x00000000032E6000-memory.dmp

Filesize
344KB

Download
memory/3008-30-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3008-34-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/3008-40-0x000000001C050000-0x000000001C05C000-memory.dmp

Filesize
48KB

Download
memory/3008-41-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/3008-42-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/3008-43-0x000000001C080000-0x000000001C08C000-memory.dmp

Filesize
48KB

Download
memory/3008-44-0x000000001C090000-0x000000001C098000-memory.dmp

Filesize
32KB

Download
memory/3008-45-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/3008-46-0x000000001C0B0000-0x000000001C0BA000-memory.dmp

Filesize
40KB

Download
memory/3008-47-0x000000001C0C0000-0x000000001C0CE000-memory.dmp

Filesize
56KB

Download
memory/3008-49-0x000000001C0E0000-0x000000001C0EE000-memory.dmp

Filesize
56KB

Download
memory/3008-48-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

Filesize
32KB

Download
memory/3008-50-0x000000001C0F0000-0x000000001C0F8000-memory.dmp

Filesize
32KB

Download
memory/3008-51-0x000000001C310000-0x000000001C31C000-memory.dmp

Filesize
48KB

Download
memory/3008-52-0x000000001C320000-0x000000001C328000-memory.dmp

Filesize
32KB

Download
memory/3008-53-0x000000001C430000-0x000000001C43A000-memory.dmp

Filesize
40KB

Download
memory/3008-54-0x000000001C330000-0x000000001C33C000-memory.dmp

Filesize
48KB

Download
memory/3008-38-0x000000001C640000-0x000000001CB68000-memory.dmp

Filesize
5.2MB

Download
memory/3008-37-0x000000001C010000-0x000000001C022000-memory.dmp

Filesize
72KB

Download
memory/3008-36-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/3008-35-0x000000001C100000-0x000000001C10C000-memory.dmp

Filesize
48KB

Download
memory/3008-39-0x000000001C040000-0x000000001C04C000-memory.dmp

Filesize
48KB

Download
memory/3008-33-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

Filesize
48KB

Download
memory/3008-32-0x000000001B880000-0x000000001B8D6000-memory.dmp

Filesize
344KB

Download
memory/3008-17-0x00000000007D0000-0x0000000000B3A000-memory.dmp

Filesize
3.4MB

Download
memory/3008-31-0x000000001B870000-0x000000001B87A000-memory.dmp

Filesize
40KB

Download
memory/3008-29-0x0000000002E00000-0x0000000002E08000-memory.dmp

Filesize
32KB

Download
memory/3008-28-0x000000001B860000-0x000000001B86C000-memory.dmp

Filesize
48KB

Download
memory/3008-25-0x0000000002DC0000-0x0000000002DD6000-memory.dmp

Filesize
88KB

Download
memory/3008-27-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download
memory/3008-26-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

Filesize
32KB

Download
memory/3008-23-0x0000000002DA0000-0x0000000002DA8000-memory.dmp

Filesize
32KB

Download
memory/3008-24-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3008-18-0x0000000001350000-0x000000000135E000-memory.dmp

Filesize
56KB

Download
memory/3008-22-0x000000001B7F0000-0x000000001B840000-memory.dmp

Filesize
320KB

Download
memory/3008-19-0x0000000001360000-0x000000000136E000-memory.dmp

Filesize
56KB

Download
memory/3008-21-0x0000000002D80000-0x0000000002D9C000-memory.dmp

Filesize
112KB

Download
memory/3008-20-0x0000000001480000-0x0000000001488000-memory.dmp

Filesize
32KB

Download
memory/3224-193-0x000000001B7E0000-0x000000001B7F2000-memory.dmp

Filesize
72KB

Download
memory/3912-217-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3912-218-0x000000001B100000-0x000000001B112000-memory.dmp

Filesize
72KB

Download
memory/4288-181-0x000000001B860000-0x000000001B872000-memory.dmp

Filesize
72KB

Download
memory/4620-122-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download