dcrat | d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Size

3.7MB
MD5

b0f05d80b12c67dc9d26fe6d4f0debd0
SHA1

9bf6fee145f08c3ea7d41e6f6755187e92f11978
SHA256

d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
SHA512

19632526b95ea7435c05af10ceb74179e902201389c62476c7cd5281a5dea338283921166a2272cbe12caf58b2207b18b58834b5c2b1c17df87b2f83fc3824d9
SSDEEP

98304:UbF26GgA01Iz8pS1m+j/C7N2DXXrbpqto0:U1A6IIAY+j6pG/Yb

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2036	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2036	schtasks.exe	35

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186ca-14.dat	dcrat
behavioral1/memory/2824-18-0x0000000000A90000-0x0000000000DFA000-memory.dmp	dcrat
behavioral1/memory/2796-85-0x0000000000BF0000-0x0000000000F5A000-memory.dmp	dcrat
behavioral1/memory/2348-97-0x00000000000E0000-0x000000000044A000-memory.dmp	dcrat
behavioral1/memory/1972-111-0x0000000000310000-0x000000000067A000-memory.dmp	dcrat
behavioral1/memory/2244-124-0x00000000003E0000-0x000000000074A000-memory.dmp	dcrat
behavioral1/memory/2160-137-0x0000000000D30000-0x000000000109A000-memory.dmp	dcrat
behavioral1/memory/2152-150-0x0000000001340000-0x00000000016AA000-memory.dmp	dcrat
behavioral1/memory/2076-174-0x00000000002D0000-0x000000000063A000-memory.dmp	dcrat
behavioral1/memory/2996-186-0x0000000000160000-0x00000000004CA000-memory.dmp	dcrat
behavioral1/memory/912-200-0x0000000000AF0000-0x0000000000E5A000-memory.dmp	dcrat
behavioral1/memory/1760-212-0x0000000000BE0000-0x0000000000F4A000-memory.dmp	dcrat
behavioral1/memory/2676-224-0x0000000001310000-0x000000000167A000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2824	reviewnet.exe
2796	conhost.exe
2348	conhost.exe
1972	conhost.exe
2244	conhost.exe
2160	conhost.exe
2152	conhost.exe
824	conhost.exe
2076	conhost.exe
2996	conhost.exe
912	conhost.exe
1760	conhost.exe
2676	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2696	cmd.exe
2696	cmd.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\OSPPSVC.exe	reviewnet.exe
File created	C:\Program Files (x86)\Adobe\1610b97d3ab4a7	reviewnet.exe
File created	C:\Program Files\Windows Journal\es-ES\services.exe	reviewnet.exe
File created	C:\Program Files\Windows Journal\es-ES\c5b4cb5e9653cc	reviewnet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\886983d96e3d3e	reviewnet.exe
File created	C:\Windows\Registration\CRMLog\csrss.exe	reviewnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2912	schtasks.exe
1952	schtasks.exe
1608	schtasks.exe
2984	schtasks.exe
860	schtasks.exe
1652	schtasks.exe
1448	schtasks.exe
1868	schtasks.exe
1124	schtasks.exe
2068	schtasks.exe
2220	schtasks.exe
696	schtasks.exe
532	schtasks.exe
644	schtasks.exe
2944	schtasks.exe
2392	schtasks.exe
1820	schtasks.exe
2844	schtasks.exe
2860	schtasks.exe
1136	schtasks.exe
872	schtasks.exe
1896	schtasks.exe
2608	schtasks.exe
2784	schtasks.exe
1700	schtasks.exe
772	schtasks.exe
1904	schtasks.exe
756	schtasks.exe
552	schtasks.exe
2344	schtasks.exe
1872	schtasks.exe
332	schtasks.exe
2092	schtasks.exe
1972	schtasks.exe
2256	schtasks.exe
660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	reviewnet.exe
2824	reviewnet.exe
2824	reviewnet.exe
2824	reviewnet.exe
2824	reviewnet.exe
2824	reviewnet.exe
2824	reviewnet.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe
2796	conhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	reviewnet.exe
Token: SeDebugPrivilege	2796	conhost.exe
Token: SeDebugPrivilege	2348	conhost.exe
Token: SeDebugPrivilege	1972	conhost.exe
Token: SeDebugPrivilege	2244	conhost.exe
Token: SeDebugPrivilege	2160	conhost.exe
Token: SeDebugPrivilege	2152	conhost.exe
Token: SeDebugPrivilege	824	conhost.exe
Token: SeDebugPrivilege	2076	conhost.exe
Token: SeDebugPrivilege	2996	conhost.exe
Token: SeDebugPrivilege	912	conhost.exe
Token: SeDebugPrivilege	1760	conhost.exe
Token: SeDebugPrivilege	2676	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2632	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	30
PID 2188 wrote to memory of 2632	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	30
PID 2188 wrote to memory of 2632	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	30
PID 2188 wrote to memory of 2632	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	30
PID 2188 wrote to memory of 2788	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	31
PID 2188 wrote to memory of 2788	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	31
PID 2188 wrote to memory of 2788	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	31
PID 2188 wrote to memory of 2788	2188	d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe	31
PID 2632 wrote to memory of 2696	2632	WScript.exe	32
PID 2632 wrote to memory of 2696	2632	WScript.exe	32
PID 2632 wrote to memory of 2696	2632	WScript.exe	32
PID 2632 wrote to memory of 2696	2632	WScript.exe	32
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2824 wrote to memory of 1756	2824	reviewnet.exe	72
PID 2824 wrote to memory of 1756	2824	reviewnet.exe	72
PID 2824 wrote to memory of 1756	2824	reviewnet.exe	72
PID 1756 wrote to memory of 2832	1756	cmd.exe	74
PID 1756 wrote to memory of 2832	1756	cmd.exe	74
PID 1756 wrote to memory of 2832	1756	cmd.exe	74
PID 1756 wrote to memory of 2796	1756	cmd.exe	75
PID 1756 wrote to memory of 2796	1756	cmd.exe	75
PID 1756 wrote to memory of 2796	1756	cmd.exe	75
PID 2796 wrote to memory of 2052	2796	conhost.exe	76
PID 2796 wrote to memory of 2052	2796	conhost.exe	76
PID 2796 wrote to memory of 2052	2796	conhost.exe	76
PID 2796 wrote to memory of 1716	2796	conhost.exe	77
PID 2796 wrote to memory of 1716	2796	conhost.exe	77
PID 2796 wrote to memory of 1716	2796	conhost.exe	77
PID 2052 wrote to memory of 2348	2052	WScript.exe	78
PID 2052 wrote to memory of 2348	2052	WScript.exe	78
PID 2052 wrote to memory of 2348	2052	WScript.exe	78
PID 2348 wrote to memory of 1872	2348	conhost.exe	79
PID 2348 wrote to memory of 1872	2348	conhost.exe	79
PID 2348 wrote to memory of 1872	2348	conhost.exe	79
PID 2348 wrote to memory of 2720	2348	conhost.exe	80
PID 2348 wrote to memory of 2720	2348	conhost.exe	80
PID 2348 wrote to memory of 2720	2348	conhost.exe	80
PID 1872 wrote to memory of 1972	1872	WScript.exe	81
PID 1872 wrote to memory of 1972	1872	WScript.exe	81
PID 1872 wrote to memory of 1972	1872	WScript.exe	81
PID 1972 wrote to memory of 1376	1972	conhost.exe	82
PID 1972 wrote to memory of 1376	1972	conhost.exe	82
PID 1972 wrote to memory of 1376	1972	conhost.exe	82
PID 1972 wrote to memory of 1120	1972	conhost.exe	83
PID 1972 wrote to memory of 1120	1972	conhost.exe	83
PID 1972 wrote to memory of 1120	1972	conhost.exe	83
PID 1376 wrote to memory of 2244	1376	WScript.exe	84
PID 1376 wrote to memory of 2244	1376	WScript.exe	84
PID 1376 wrote to memory of 2244	1376	WScript.exe	84
PID 2244 wrote to memory of 2772	2244	conhost.exe	85
PID 2244 wrote to memory of 2772	2244	conhost.exe	85
PID 2244 wrote to memory of 2772	2244	conhost.exe	85
PID 2244 wrote to memory of 2276	2244	conhost.exe	86
PID 2244 wrote to memory of 2276	2244	conhost.exe	86
PID 2244 wrote to memory of 2276	2244	conhost.exe	86
PID 2772 wrote to memory of 2160	2772	WScript.exe	87
PID 2772 wrote to memory of 2160	2772	WScript.exe	87
PID 2772 wrote to memory of 2160	2772	WScript.exe	87
PID 2160 wrote to memory of 2596	2160	conhost.exe	88
PID 2160 wrote to memory of 2596	2160	conhost.exe	88
PID 2160 wrote to memory of 2596	2160	conhost.exe	88

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewnet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\MssurrogateBrowserDrivermonitor\reviewnet.exe
      "C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtvPUwLvJY.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2832
      - C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e595425-2b73-4195-8911-5c6073effb7a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e916356-a953-44c7-8530-d95597a79d0b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2dc70cd-c7a7-4c95-b5a8-a7e778ae12bd.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6768f131-2ea9-46bc-9e4c-ca0c7654fb2e.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731a0643-9b43-4ad9-aa55-421bf99ec43e.vbs"
        15⤵
        
        PID:2596
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54560b77-8407-4bae-a88d-20ef2533176f.vbs"
        17⤵
        
        PID:2476
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b0723a-52e8-40b0-9364-d19752616b1d.vbs"
        19⤵
        
        PID:2312
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b437ed2-39fd-41bc-b03d-3d2c491f60c5.vbs"
        21⤵
        
        PID:2840
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1849ee88-3ca4-4367-9c5f-3ebf988c1e75.vbs"
        23⤵
        
        PID:2516
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a259954-f278-4c40-b898-72a1ec086170.vbs"
        25⤵
        
        PID:2968
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f32c890a-8ddf-418a-931f-fe1b3fd96af4.vbs"
        27⤵
        
        PID:3016
        
        C:\Users\Default\conhost.exe
        
        C:\Users\Default\conhost.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65075b9-6742-464f-b51a-0c98524da1b0.vbs"
        29⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d4fca6-04ed-4edd-a021-6cdcbb7916a4.vbs"
        29⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cadae5a-cca7-4446-a51c-86f7b9973bc9.vbs"
        27⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c097a7e-8d46-484e-9a22-8a8e44529da8.vbs"
        25⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\387d7a71-d1fd-440c-ab22-7c798371c211.vbs"
        23⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c60b3b21-5794-4d6c-b6e4-5d7f9ffc9e34.vbs"
        21⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8fe92d0-f36c-4692-873f-84d41170c6ae.vbs"
        19⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebafc3d7-63cf-4cdf-bf32-b4596c185f48.vbs"
        17⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cea0326f-7242-486f-80cf-cbc364719b12.vbs"
        15⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81884a55-d186-4193-ab92-cdc0d7d8131c.vbs"
        13⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a16bf023-bf1b-40a1-95e9-135b9e30e542.vbs"
        11⤵
        
        PID:1120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaeb15bb-067f-488d-b567-db5b74597a9b.vbs"
        9⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e78716f-e5e2-46a7-b033-7b3ab4766850.vbs"
        7⤵
        
        PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat

Filesize
50B

MD5
934b57a6b87ad62fbf72805fc7ed30d0

SHA1
04111b17e6b836077bca5c092dfd4e59657fbfae

SHA256
25bfd4297df8354c427f96c5569594300935745c03f15aa1e4097cff1be3f70d

SHA512
5737cbaa48b1c5804072681e58e8e9d55aa7d996614dd3ff6501afaea693aca3fe7275a811c7aad1bbb88057fea7a31a393cadf7c2761aeca32e1e1f83940b07

Download Submit
C:\MssurrogateBrowserDrivermonitor\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe

Filesize
220B

MD5
b7946fc546ca743f534d88dddeee3f00

SHA1
668ed69a0b7a298e08a68e80161f7eeead3128a5

SHA256
8673980ed61a75db17016d3fe892f2c37ddc037f34032e2fd35626ed146d80d2

SHA512
7ee3cec4df1a0b2c5984ccf860a004dcaa3c3fa258370edabb50ccd3f92a8d3ab8daf1af1f5087a67a24bf285a34b040f36d7673f1f8e413dc931a201967712a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1849ee88-3ca4-4367-9c5f-3ebf988c1e75.vbs

Filesize
704B

MD5
3184cd045797cef8e2c56ba3e9fe3a2b

SHA1
d6688e987a9e8311c0814a61b45bb7742f360f30

SHA256
b07934562145a0dfe3917099da07f74f29d741984745c0be7a3ee77cd9e03834

SHA512
cc575ad3d5a298df1698958899874b3bb668120b58968e06065fa5da39d5f0d9de3fdcc95cea4a3250a4cf6655bed5127c89bc3dbc56db28d67fe4d67e83094e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a259954-f278-4c40-b898-72a1ec086170.vbs

Filesize
703B

MD5
c41614d39bbc8abcde63d0ad6968c7b0

SHA1
1388172b2e1305f36ae07432415535529b911c76

SHA256
559a81cb59e598da4c2e6e20c07914e5673207e258435b37e8b5e3c3919cfb85

SHA512
89b34feea454b6a174019a0d32e133f065e39a660a2e8e982926f9e19a2b2be02781eaaf6d345679093d57da2b004e37ceb738fa5c291e62fba897be92617128

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e595425-2b73-4195-8911-5c6073effb7a.vbs

Filesize
704B

MD5
c695b3772decbabc6e6bb97d17c5749a

SHA1
490d25d258116d24bea41653a6e703876f87419c

SHA256
6af67297ae72e2eabaabb2d0a6042401ad6bfb43afe23d3daebde437410d6dcd

SHA512
fc0c5c19c185e968de565d9fc1d71efc30abb49f093fff4c5b395c835c5077f4f0a91297fdab31702908f04b14c6019520cf44c4a6faa9f25af71774e52fe181

Download Submit
C:\Users\Admin\AppData\Local\Temp\54560b77-8407-4bae-a88d-20ef2533176f.vbs

Filesize
704B

MD5
f58f58cdcbf38d71dee657a3a405606b

SHA1
f6ac6d8d9df09f3e7dc31340afe1103a4fef1126

SHA256
fa26540fdb9a61cb5930cb432228e7e1c5f41f6fffa9fa5dc0c4f1fbfc75933a

SHA512
732957c47720decedade0eac09d14d39896c28d4b9f7dac4e74f2b336b80a62f4af6dd386bce693ba32a636625414c5f39229ebd3b3d79e36b4049819c3c374e

Download Submit
C:\Users\Admin\AppData\Local\Temp\55b0723a-52e8-40b0-9364-d19752616b1d.vbs

Filesize
703B

MD5
c92124da15ddcbf14933c4b3e8180725

SHA1
2768e3ab2c7573e105119a4c0009d3dd06e67eff

SHA256
49df607934547a54bda8df192970b1bedc296912e7c7b632648d63edef9fcc12

SHA512
53e30b77ed52deb30c4c3ebc92010ad1f2caab3c2b734c3f10588d05f6dbe0f6ae6d7a8684dfbacd39fc8c4e017d999cdecb3230e5ab3b0fbcae2b8b3b7f6319

Download Submit
C:\Users\Admin\AppData\Local\Temp\6768f131-2ea9-46bc-9e4c-ca0c7654fb2e.vbs

Filesize
704B

MD5
f61d1a15f79746e86ec1ce9f3e7cfff6

SHA1
1f1021b1675d137e4f55336175c1c4671d46f194

SHA256
2a09546aab0c114b10d1c33dc649b980271a15c624df434f8a8765a3c2603d88

SHA512
2a8ab1f9583dfa9bd4cf87d8a52ba6f527196b2c6dd12226bd79d47bffc084d7c87dcc468bb990076adf596956519a580e4179bb4f59ec78f16be51398ddd3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b437ed2-39fd-41bc-b03d-3d2c491f60c5.vbs

Filesize
704B

MD5
49e4f9aaf17cd5a5e03c403c5ecd526a

SHA1
f1539bb3c97a6571ad54a8a4280add45f221c2ec

SHA256
7e730e47460f407c47790b910c770a871c94682250453d0aba571e45c823a0d7

SHA512
7dbc2e7097144122ac0e193d17e755b857f245aaddf6c54927380057e7feea908eb81d98c9c0b16fae76a1d7ec1e7ae19b45337eb0f0233befba969df49c83c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\731a0643-9b43-4ad9-aa55-421bf99ec43e.vbs

Filesize
704B

MD5
42c281b3f2f088fa1c5e2fd7108df6fb

SHA1
76ae81c10498451a68ac1971ce87c4f760e23774

SHA256
f190dd71cc61508f26a7ea0f660a598dc35583fab040d6e6cf76f3e73e192195

SHA512
27692bedf5b84819b4437e9d44e2517eb09dc504edab243e46cc18497f9676710065b0520f5f8bec53f361c6c36508a7e5a20b222d954ab9d6c6b4fe92cb72a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e78716f-e5e2-46a7-b033-7b3ab4766850.vbs

Filesize
480B

MD5
acbf55539bf530d14dc41327c3b69e2b

SHA1
087ae2b77d632b1baa9a79068e3621f7369c5b2e

SHA256
0bb5ad6fecbe44d6e417e55c2c6c19a6c48346216f400390b3d09a3dd07db417

SHA512
c5574e9d862939c920948eb971a6b2f9c769834129bfff81528d4977d1202bce3f2d6df9a345fc240f4eaa71c89aaf6aa95f7b39bce2e1de780c033c8b2526e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e916356-a953-44c7-8530-d95597a79d0b.vbs

Filesize
704B

MD5
6af2877c20222110e7865a881839e413

SHA1
f7b0552fbcd880d02c9b818b24bbcf7bc2bfaeee

SHA256
5dab890617e8e2e0d9351e122f47dd491a73e75e93e4669435906625ddbf4b79

SHA512
5027136c6d808d19ea6d2eb1cb557db95b74d9e43aca88026e494dc93c9556414a15d686306158143a05b33edc11257f97e3b09a47c35d40d6cf950400b38687

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtvPUwLvJY.bat

Filesize
193B

MD5
687152759715b1c7b613b2bfe38c9148

SHA1
3df9f7f1b7fac0b3357c74751430da25c02eb7d9

SHA256
3f3727cbda4f70737226d4abd554a673a4ce70e7a4b91dbf2005fa8dcd867107

SHA512
a605608677b9ed14a6c275189aac972418ab6bd7148b5984d1b7ce9b9fea139408bf55ae7dcf04c45849cd9855a43bc6dd119c57cc71ac3b3572e255ab8a2aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b65075b9-6742-464f-b51a-0c98524da1b0.vbs

Filesize
704B

MD5
498037286fa8aa95237f5e11de0ea892

SHA1
ef7a9c7d0e95f616abfcd940e3ed5f4c7be16858

SHA256
5c5a1aef95c5f1f70a7eaa4dbdb12c41a5cd3dc9b06fe4b99a5004973ebba63d

SHA512
90f6c610bcfabc3fd5785534a9d05942a95efdf0f6e1d0fa9dd8667f441265a20f19864eb3769c3ae10a303f895602794f92c929a25e417576f3d3b7ee979726

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2dc70cd-c7a7-4c95-b5a8-a7e778ae12bd.vbs

Filesize
704B

MD5
21ba07ca269a8c0ffebb619519f74404

SHA1
e8876648ff1a73bdced2181f92d74027297ac606

SHA256
1b1139dff868fc5bcb63e7ac9f40ea6ecf2f14338a48acddef890d8a1c7a2c99

SHA512
95e26a82c29bc53e05c1680cd21a0640a4d3a5a366d49382c000953000eab5b42cf7bdc0a21aeba7540f228ada6a74fbf82b561836d22b4b0bb7fe652ff6c87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f32c890a-8ddf-418a-931f-fe1b3fd96af4.vbs

Filesize
704B

MD5
eb420eb5c66a2a9ea3b196567f2c6065

SHA1
f7147ce910460c8a1f577a6c4115f1f4f904b809

SHA256
7c40dbab844b385dfe1da458d9fb380d6b2a1c678d4c72b740924db149cf6498

SHA512
06eaf836850d496f6245e48d79092e878f9ef54a02fa45bc1bac769162c4b13615e9f3d6d2649f9d510aa960c4ecd5cb13cada9353d33c0a9a42d6ef54f0de36

Download Submit
\MssurrogateBrowserDrivermonitor\reviewnet.exe

Filesize
3.4MB

MD5
7d995f38d429ff33eaf4ce89f60585f9

SHA1
160f3163b335110d718e98390add6ca7a110a8ca

SHA256
49877051396a67dc531bb04d9745c78820a04e21ab3a6071906739ef48098b68

SHA512
61cb35e8469cd396b8487ca31542d0f505179283aa7d645344f2de7ffa47cfda0013bdfa2c5b29edd16978bce9a90fe2795a62e3dd4b900d9db5431b2d81f887

Download Submit
memory/912-200-0x0000000000AF0000-0x0000000000E5A000-memory.dmp

Filesize
3.4MB

Download
memory/1760-212-0x0000000000BE0000-0x0000000000F4A000-memory.dmp

Filesize
3.4MB

Download
memory/1972-111-0x0000000000310000-0x000000000067A000-memory.dmp

Filesize
3.4MB

Download
memory/1972-112-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2076-174-0x00000000002D0000-0x000000000063A000-memory.dmp

Filesize
3.4MB

Download
memory/2152-151-0x00000000012A0000-0x00000000012B2000-memory.dmp

Filesize
72KB

Download
memory/2152-150-0x0000000001340000-0x00000000016AA000-memory.dmp

Filesize
3.4MB

Download
memory/2160-138-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/2160-137-0x0000000000D30000-0x000000000109A000-memory.dmp

Filesize
3.4MB

Download
memory/2244-125-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/2244-124-0x00000000003E0000-0x000000000074A000-memory.dmp

Filesize
3.4MB

Download
memory/2348-99-0x0000000000A90000-0x0000000000AE6000-memory.dmp

Filesize
344KB

Download
memory/2348-98-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/2348-97-0x00000000000E0000-0x000000000044A000-memory.dmp

Filesize
3.4MB

Download
memory/2676-225-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/2676-224-0x0000000001310000-0x000000000167A000-memory.dmp

Filesize
3.4MB

Download
memory/2796-86-0x000000001A950000-0x000000001A962000-memory.dmp

Filesize
72KB

Download
memory/2796-85-0x0000000000BF0000-0x0000000000F5A000-memory.dmp

Filesize
3.4MB

Download
memory/2824-32-0x000000001B040000-0x000000001B096000-memory.dmp

Filesize
344KB

Download
memory/2824-35-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/2824-52-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

Filesize
40KB

Download
memory/2824-53-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/2824-50-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/2824-49-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/2824-48-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/2824-47-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/2824-46-0x000000001B090000-0x000000001B09E000-memory.dmp

Filesize
56KB

Download
memory/2824-45-0x000000001AF30000-0x000000001AF3A000-memory.dmp

Filesize
40KB

Download
memory/2824-44-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/2824-43-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/2824-42-0x000000001AE80000-0x000000001AE8C000-memory.dmp

Filesize
48KB

Download
memory/2824-41-0x000000001AE30000-0x000000001AE3C000-memory.dmp

Filesize
48KB

Download
memory/2824-40-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/2824-39-0x000000001AE10000-0x000000001AE1C000-memory.dmp

Filesize
48KB

Download
memory/2824-38-0x000000001AE00000-0x000000001AE0C000-memory.dmp

Filesize
48KB

Download
memory/2824-37-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2824-36-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2824-51-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/2824-34-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2824-33-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/2824-31-0x00000000024B0000-0x00000000024BA000-memory.dmp

Filesize
40KB

Download
memory/2824-30-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2824-29-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2824-28-0x0000000002470000-0x000000000247C000-memory.dmp

Filesize
48KB

Download
memory/2824-27-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/2824-26-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2824-18-0x0000000000A90000-0x0000000000DFA000-memory.dmp

Filesize
3.4MB

Download
memory/2824-19-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2824-20-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2824-25-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2824-24-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2824-23-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2824-22-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/2824-21-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2996-188-0x00000000022F0000-0x0000000002346000-memory.dmp

Filesize
344KB

Download
memory/2996-187-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2996-186-0x0000000000160000-0x00000000004CA000-memory.dmp

Filesize
3.4MB

Download