dcrat | 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
Size

3.6MB
MD5

646a50d060ae1b649f0ca735aabf5744
SHA1

a666932e153ef1d2c2463009e0df4de9bdf73322
SHA256

078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
SHA512

0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c
SSDEEP

98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M

Score

10^/10

dcrat discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 28 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		3044	schtasks.exe
		1388	schtasks.exe
		2000	schtasks.exe
		520	schtasks.exe
		2248	schtasks.exe
		2552	schtasks.exe
		2988	schtasks.exe
		1176	schtasks.exe
		972	schtasks.exe
		2976	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
		2324	schtasks.exe
		2508	schtasks.exe
		2980	schtasks.exe
		2756	schtasks.exe
		2380	schtasks.exe
		1088	schtasks.exe
		2256	schtasks.exe
		1464	schtasks.exe
		3016	schtasks.exe
		1664	schtasks.exe
		2284	schtasks.exe
		1956	schtasks.exe
		1808	schtasks.exe
		1540	schtasks.exe
		2276	schtasks.exe
		1412	schtasks.exe
		3056	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

chainagent.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\chainagent.exe\", \"C:\\fontMonitor\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsass.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsass.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\chainagent.exe\""	chainagent.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2232	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2232	schtasks.exe	34

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

chainagent.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x000600000001960c-9.dat	dcrat
behavioral1/memory/2688-13-0x0000000001000000-0x000000000135C000-memory.dmp	dcrat
behavioral1/memory/940-71-0x0000000000C60000-0x0000000000FBC000-memory.dmp	dcrat
behavioral1/memory/2800-309-0x0000000000FD0000-0x000000000132C000-memory.dmp	dcrat
behavioral1/memory/984-548-0x0000000000290000-0x00000000005EC000-memory.dmp	dcrat
behavioral1/memory/3028-668-0x0000000000DA0000-0x00000000010FC000-memory.dmp	dcrat
behavioral1/memory/2948-905-0x0000000001170000-0x00000000014CC000-memory.dmp	dcrat
behavioral1/memory/1608-1025-0x00000000001E0000-0x000000000053C000-memory.dmp	dcrat

Executes dropped EXE 10 IoCs

Processes:

chainagent.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	Process
2688	chainagent.exe
940	cmd.exe
2312	cmd.exe
2800	cmd.exe
1904	cmd.exe
984	cmd.exe
3028	cmd.exe
848	cmd.exe
2948	cmd.exe
1608	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2912	cmd.exe
2912	cmd.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

chainagent.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\fontMonitor\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Internet Explorer\\es-ES\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsass.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chainagent = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\chainagent.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\fontMonitor\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsass.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\chainagent = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\chainagent.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\cmd.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\""	chainagent.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exechainagent.execmd.execmd.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

chainagent.exe

description	ioc	Process
File created	C:\Program Files\Internet Explorer\es-ES\smss.exe	chainagent.exe
File created	C:\Program Files\Internet Explorer\es-ES\69ddcba757bf72	chainagent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exe078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3016	schtasks.exe
1412	schtasks.exe
1388	schtasks.exe
2324	schtasks.exe
2276	schtasks.exe
2980	schtasks.exe
1664	schtasks.exe
520	schtasks.exe
3056	schtasks.exe
2508	schtasks.exe
3044	schtasks.exe
1176	schtasks.exe
1540	schtasks.exe
2976	schtasks.exe
1088	schtasks.exe
2256	schtasks.exe
2988	schtasks.exe
1808	schtasks.exe
2380	schtasks.exe
2756	schtasks.exe
2000	schtasks.exe
2284	schtasks.exe
972	schtasks.exe
1956	schtasks.exe
2248	schtasks.exe
2552	schtasks.exe
1464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chainagent.execmd.exe

pid	Process
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
2688	chainagent.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

chainagent.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process
Token: SeDebugPrivilege	2688	chainagent.exe
Token: SeDebugPrivilege	940	cmd.exe
Token: SeDebugPrivilege	2312	cmd.exe
Token: SeDebugPrivilege	2800	cmd.exe
Token: SeDebugPrivilege	1904	cmd.exe
Token: SeDebugPrivilege	984	cmd.exe
Token: SeDebugPrivilege	3028	cmd.exe
Token: SeDebugPrivilege	848	cmd.exe
Token: SeDebugPrivilege	2948	cmd.exe
Token: SeDebugPrivilege	1608	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exeWScript.execmd.exechainagent.execmd.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.exe

description	pid	Process	procid_target
PID 2476 wrote to memory of 2940	2476	078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe	30
PID 2476 wrote to memory of 2940	2476	078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe	30
PID 2476 wrote to memory of 2940	2476	078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe	30
PID 2476 wrote to memory of 2940	2476	078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe	30
PID 2940 wrote to memory of 2912	2940	WScript.exe	31
PID 2940 wrote to memory of 2912	2940	WScript.exe	31
PID 2940 wrote to memory of 2912	2940	WScript.exe	31
PID 2940 wrote to memory of 2912	2940	WScript.exe	31
PID 2912 wrote to memory of 2688	2912	cmd.exe	33
PID 2912 wrote to memory of 2688	2912	cmd.exe	33
PID 2912 wrote to memory of 2688	2912	cmd.exe	33
PID 2912 wrote to memory of 2688	2912	cmd.exe	33
PID 2688 wrote to memory of 940	2688	chainagent.exe	62
PID 2688 wrote to memory of 940	2688	chainagent.exe	62
PID 2688 wrote to memory of 940	2688	chainagent.exe	62
PID 940 wrote to memory of 884	940	cmd.exe	63
PID 940 wrote to memory of 884	940	cmd.exe	63
PID 940 wrote to memory of 884	940	cmd.exe	63
PID 940 wrote to memory of 2052	940	cmd.exe	64
PID 940 wrote to memory of 2052	940	cmd.exe	64
PID 940 wrote to memory of 2052	940	cmd.exe	64
PID 884 wrote to memory of 2312	884	WScript.exe	65
PID 884 wrote to memory of 2312	884	WScript.exe	65
PID 884 wrote to memory of 2312	884	WScript.exe	65
PID 2312 wrote to memory of 2848	2312	cmd.exe	66
PID 2312 wrote to memory of 2848	2312	cmd.exe	66
PID 2312 wrote to memory of 2848	2312	cmd.exe	66
PID 2312 wrote to memory of 2988	2312	cmd.exe	67
PID 2312 wrote to memory of 2988	2312	cmd.exe	67
PID 2312 wrote to memory of 2988	2312	cmd.exe	67
PID 2848 wrote to memory of 2800	2848	WScript.exe	68
PID 2848 wrote to memory of 2800	2848	WScript.exe	68
PID 2848 wrote to memory of 2800	2848	WScript.exe	68
PID 2800 wrote to memory of 1696	2800	cmd.exe	69
PID 2800 wrote to memory of 1696	2800	cmd.exe	69
PID 2800 wrote to memory of 1696	2800	cmd.exe	69
PID 2800 wrote to memory of 2444	2800	cmd.exe	70
PID 2800 wrote to memory of 2444	2800	cmd.exe	70
PID 2800 wrote to memory of 2444	2800	cmd.exe	70
PID 1696 wrote to memory of 1904	1696	WScript.exe	71
PID 1696 wrote to memory of 1904	1696	WScript.exe	71
PID 1696 wrote to memory of 1904	1696	WScript.exe	71
PID 1904 wrote to memory of 1752	1904	cmd.exe	72
PID 1904 wrote to memory of 1752	1904	cmd.exe	72
PID 1904 wrote to memory of 1752	1904	cmd.exe	72
PID 1904 wrote to memory of 2872	1904	cmd.exe	73
PID 1904 wrote to memory of 2872	1904	cmd.exe	73
PID 1904 wrote to memory of 2872	1904	cmd.exe	73
PID 1752 wrote to memory of 984	1752	WScript.exe	74
PID 1752 wrote to memory of 984	1752	WScript.exe	74
PID 1752 wrote to memory of 984	1752	WScript.exe	74
PID 984 wrote to memory of 2248	984	cmd.exe	75
PID 984 wrote to memory of 2248	984	cmd.exe	75
PID 984 wrote to memory of 2248	984	cmd.exe	75
PID 984 wrote to memory of 2520	984	cmd.exe	76
PID 984 wrote to memory of 2520	984	cmd.exe	76
PID 984 wrote to memory of 2520	984	cmd.exe	76
PID 2248 wrote to memory of 3028	2248	WScript.exe	77
PID 2248 wrote to memory of 3028	2248	WScript.exe	77
PID 2248 wrote to memory of 3028	2248	WScript.exe	77
PID 3028 wrote to memory of 888	3028	cmd.exe	78
PID 3028 wrote to memory of 888	3028	cmd.exe	78
PID 3028 wrote to memory of 888	3028	cmd.exe	78
PID 3028 wrote to memory of 1932	3028	cmd.exe	79

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

cmd.execmd.exechainagent.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
"C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\fontMonitor\B6f2SnQ47.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\fontMonitor\chainagent.exe
      "C:\fontMonitor\chainagent.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2688
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:940
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03999b1c-8ad9-4cab-b13e-655aa98ea90c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d865edd-d382-40e8-9b8d-c3b91fabf241.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03b50dd4-4f83-4720-a2da-ff613750c1c1.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f27339f0-d9b3-4968-b8b8-a56b97a159de.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36649a07-b426-4d02-85ef-1bf8c3923719.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd902ba-8c1e-44ad-924f-3994e31dd0e5.vbs"
        16⤵
        
        PID:888
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8216e6a8-7f90-40c6-aa4f-c33fbd771c01.vbs"
        18⤵
        
        PID:2680
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8b8812d-b64b-43f8-b6d2-1ecef64596b5.vbs"
        20⤵
        
        PID:1392
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132672bf-401d-4ae5-a6b4-14733c6c2d6d.vbs"
        22⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de3ef71b-81f6-4686-8c5d-ff48ff7a918a.vbs"
        20⤵
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9edc4905-afc3-41c1-b681-fe3c02664789.vbs"
        18⤵
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0446e55c-d4b9-482c-91bf-3864f197418d.vbs"
        16⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0da1dde2-d9bd-42c8-9a19-c2dc52f5bec8.vbs"
        14⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ffe5ad-71ee-4e3d-9474-8c099b2d1a91.vbs"
        12⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a1bc08-b3d7-49b3-99b5-423c0b190040.vbs"
        10⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5187083a-0c72-4bf8-833a-81ac9bd8db89.vbs"
        8⤵
        
        PID:2988
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5ebbb66-6600-4503-9c7a-17e5222460f3.vbs"
        6⤵
        
        PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainagent.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainagent" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainagent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\chainagent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\fontMonitor\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\fontMonitor\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\fontMonitor\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5851f563f63c05bed3ead28b7308c02

SHA1
9b01645d8c7a7de7802a8d5a7395b39374175d0f

SHA256
9df80a0c756e1bc816924ee9aeea635066f91195fa2921eeed679dd332cc900c

SHA512
29db89a0270e1de91db7fd253d477d3c92185ea87895c060f6c4e3ecf6900df2b909d9a238461a55cf48ecf5cc166c396958dd9678aaa7904e00717b7a2aa4de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fc7bdcc427b9e2490e38b52a7885091

SHA1
5d67871bb09551408b528ddbe2d80ab799def566

SHA256
d3dae5cb6ed8a7f32e68f33f3aaaf22dbc0989ded51426893611ccb642240968

SHA512
1c15a43c5e0a354d8095a8d8b6384f2023bad77415512d2847e87364db1306c14366421c8e54fc8826b4e63f6c1ac392951f5c2e78ef5f092b30b1630731c29c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbfca8379d7db3d19ac490c089919807

SHA1
868630ef44bbe0d8cd205c5956701eb82df4989e

SHA256
9cde9ac4618de95d7359ce7df9910783e510687b1a7777c7e960044b0d1527a7

SHA512
5c499c9f94212f6a7c6f14546bba3710f5d18ff6551370759e6ba0fd291a279469d8e75764ceb025a7fade202ccbbff4ec52d4991e76fea981b3534076888340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2351facb1a1d4a701e7b7f474fa9cad7

SHA1
6ae19eda073ec866f1fbe79630a0f9c0d32fd843

SHA256
a53fc97bcf5e74f4071ba42ceb06fe38b5e7dd5474d1e70be8705a53afe821c6

SHA512
348f821a6f680c2d637f17cc4ef35246df7c75672a74583b43c05c8008827ef12db88756c4341e91ebd71ce5a104c548da254eaf318c336c983dde6c7d508bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06e8d5ccb744fd956ff102c0d3fffacc

SHA1
d65764e98d6aae2665649b01126048b524479bc8

SHA256
8932cf6db1165f1a4a92b4f53820b9e26dea0c817a70d6b4c956c83846bb1cb0

SHA512
9d959a7ea4d3ec493552d276ef9e9d05e8dd10de922a4ee65904f6e96a0e4c8c14a9cbcc5ca4ea50adb938387daa0734c6171669a7816c3c687c90759e1d612d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a7888daacccaf391e6113fc5d2df89d

SHA1
3f5c4a9f2e39c05a461c4b8a576585b85db0278e

SHA256
8120bdcf7eb79d13a6899ba17de3f5a5d90305fa993bc3935d5b6fd87a5d5717

SHA512
d61c63561beb3e42dc7e86037f8d1bc1be1c91c7fbe64554755cfd31e4dcf6a59de48efc4b3d7da1e8defaee8e372da84b01e8b5ebca443f415e52405d0a5221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c62c7bfc634343ef576b05abbd54d4c

SHA1
d61be42e9cde08b30ca0f3ce55f539fdbb7d89fc

SHA256
274b95cef7d0e1742cc735ed5954c71f39b8f83acdc6bfedaf87bc3dc01f428d

SHA512
fd70d9f58031e4e064d8d3666c9dd43e5db31290cd5c0ec764d3b6cb376358d3853c4f4417ed05d88e7c0e1251a921a18b65a8f0520f0d476ec87820665bbc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\03999b1c-8ad9-4cab-b13e-655aa98ea90c.vbs

Filesize
731B

MD5
329b3dd7155b8f2bce6451db3de56e69

SHA1
fe449b4aca855432f6b84ff01f8fa272264ca0fd

SHA256
beafedc34e9e2c2c642e86eb0a1edac8256d8ce852bcf077b03c3b47ac381d7b

SHA512
32065c2b8c005833c7b0fc5e97d61cfc749c3a0cb254a5b84c1f1a8f2c66064ffdab12bec42c85593907ddcd6f1a17988f72b0947742e4be523c865a97667b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\03b50dd4-4f83-4720-a2da-ff613750c1c1.vbs

Filesize
732B

MD5
5f5cf4bc2889a4a2f5085fb7d2db8c8c

SHA1
a272f28a6a2fa28c95535c83972853c6228c3578

SHA256
2a84ed6243c7b1030c4fd7180f90c61739dd36cd2b0289a53a88a4e59a874c43

SHA512
c2809e48703aec090abd3d31901c0bc524ec004bb1a4651eea2f018494d16f563c1121e707304eae9d6b445b152d02deaeca3d22f57276ed8c0e58e99ccbdd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\132672bf-401d-4ae5-a6b4-14733c6c2d6d.vbs

Filesize
732B

MD5
c52fa12e5c0de66b0668e129283bd8c7

SHA1
2051d1489f85174472a911fe68856d2704ffa513

SHA256
3bf8744c885f91a80f7897d26b4f0685b5b0622fd37ebab59e6cb578c39fd9c1

SHA512
d22b38218ddff92fab41f20f67fda155aaeab9e542ab8fd206b9100e942e94843ea0d80c79b4c0d4e34ae89f92e2800c15e4c73e6417c1a839c44a8609b17d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\36649a07-b426-4d02-85ef-1bf8c3923719.vbs

Filesize
731B

MD5
8bd6332e999eb0311a074b1b8f82a60e

SHA1
a977b711e5f7c4f1c99c9890a126beb01297d855

SHA256
04aeab885f488b562c57a9702dadb66279fa262df96ae34e43798df6f5321d34

SHA512
79fdc7aac9469f5dfc00a9e3af415d98e8afb41ea2ab1c6e92f254a272ab78837474a453f49ce76d699f70c546e6f40591dbba6fb7954eb9e31656987009ac1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5187083a-0c72-4bf8-833a-81ac9bd8db89.vbs

Filesize
508B

MD5
185acc4358d6a2d57a4d11b7c441f571

SHA1
e0789b0e71f2bc830e55d8cf4399d20ddd0b8a4d

SHA256
1f2fd8089b5052999ff3a76415153a46b4594feab5054d9be64dd5b7086b7c39

SHA512
af68ae851e5fd4f5b7949803864f378c00726e49ef6c0e751f771e5c5795ad711b06c30ea9cc01def089cd66bcd6c0d2f6f104c7feeaf8e0a462a7ac6d37b772

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d865edd-d382-40e8-9b8d-c3b91fabf241.vbs

Filesize
732B

MD5
a545cadd86bfc5e5a00e155c9e0e49b0

SHA1
af10471f1b56245b66c95029b44b26663f56f765

SHA256
9f51b7a7bfecc5c9d6d610f5b0186aac1cd34e593e9f45e29e21fe014181d3c0

SHA512
fbcccea57eeee778687b4083eac83d1f126de2c95276a14ddf234609d630ac4d2d959819f74e798f67fde018e68bc4d2099947adadce13d27da0d444ab91c1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8216e6a8-7f90-40c6-aa4f-c33fbd771c01.vbs

Filesize
731B

MD5
2516dd627a9f1dff724a433883b1d8e9

SHA1
0e2203bb6e68445e3c91005e09a8815cf96f2750

SHA256
9ab3ebbd7947a9ecd481c0cb1b42bb8a1f3ba2a83c02f467312a6eedb7fd7823

SHA512
2ebed9c8a7b965b55ce6c6dccb06e3ea2a1e8ea020ed71711a5ff1ebacebac15800ebfa33a6bcc23047d682fbca870318d989ad644cb65687050a524d90f3968

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC093.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC0C5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdd902ba-8c1e-44ad-924f-3994e31dd0e5.vbs

Filesize
732B

MD5
9115e57462e77282a78ff0d76776ad4c

SHA1
59fd442b72647d14d5b4b0f2b5a7ad0bf1a66031

SHA256
ca19da3b5fc180c69abccac2699ba72b6f41a501a174aa28efe49c23c2c58d20

SHA512
ab483ed30514079b22e71e897faabf9f2bcf3bc8bdbe057e23a87da8fa25ff1f407882b7edecdb8af6b31ccaf95bc08bad45d58b79c8bb0563727af7c6f17ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f27339f0-d9b3-4968-b8b8-a56b97a159de.vbs

Filesize
732B

MD5
d9086ec5895c1bf272835aeaef816d5b

SHA1
970fba54ccc8c2fdd091fb03d686470e857cfb12

SHA256
7b3558b1bef7d95144a4462abbe2248f94c1b21e944687bcbb1e94671ca28e71

SHA512
0e8260755fff3c6debb9876a5fb204aeaf54f1e6c2d757ee613e43a33fbad2608d37f171de22e87ad60e3e7c375793209badab2384dc9f908e841514b7ce5376

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8b8812d-b64b-43f8-b6d2-1ecef64596b5.vbs

Filesize
732B

MD5
e17c49ae6d521f4fbd01d697ede08ea2

SHA1
b25890e54f0a5b20fbcee95a8c86d7b237130c18

SHA256
869b43b9fc5c0142323ff3ddbabd46d97d6a8b09d17c72e78d6eacfc6f0e1b3d

SHA512
2ce31a3f599aaa7095b967c453dabe0d3be42dbc54ce7a40260079fd7aff8aafd4322e18e7ee8b2908231828d85d2cf7e5fbe7c0c6c404379eeafeafbeb53f27

Download Submit
C:\fontMonitor\B6f2SnQ47.bat

Filesize
31B

MD5
d919292d76ba6af3f0a7c88b2d07c4fa

SHA1
0fa76a1456603b525f53d9e787d1a800172afdf8

SHA256
52bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c

SHA512
3a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5

Download Submit
C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe

Filesize
197B

MD5
692908a9fe7461b9736233b4b217f221

SHA1
b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d

SHA256
d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f

SHA512
f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788

Download Submit
\fontMonitor\chainagent.exe

Filesize
3.3MB

MD5
e74be6bbac3ea0713506397d5d6ef541

SHA1
dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9

SHA256
58440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7

SHA512
09f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185

Download Submit
memory/940-73-0x00000000024A0000-0x00000000024F6000-memory.dmp

Filesize
344KB

Download
memory/940-74-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/940-72-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/940-71-0x0000000000C60000-0x0000000000FBC000-memory.dmp

Filesize
3.4MB

Download
memory/984-548-0x0000000000290000-0x00000000005EC000-memory.dmp

Filesize
3.4MB

Download
memory/984-549-0x000000001A9B0000-0x000000001A9C2000-memory.dmp

Filesize
72KB

Download
memory/1608-1025-0x00000000001E0000-0x000000000053C000-memory.dmp

Filesize
3.4MB

Download
memory/1904-429-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2312-190-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/2688-27-0x0000000000F90000-0x0000000000FE6000-memory.dmp

Filesize
344KB

Download
memory/2688-30-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/2688-43-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

Filesize
48KB

Download
memory/2688-44-0x000000001AEF0000-0x000000001AEF8000-memory.dmp

Filesize
32KB

Download
memory/2688-45-0x000000001AF00000-0x000000001AF0A000-memory.dmp

Filesize
40KB

Download
memory/2688-46-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/2688-41-0x000000001AEC0000-0x000000001AEC8000-memory.dmp

Filesize
32KB

Download
memory/2688-40-0x000000001AEB0000-0x000000001AEBE000-memory.dmp

Filesize
56KB

Download
memory/2688-39-0x000000001AEA0000-0x000000001AEAA000-memory.dmp

Filesize
40KB

Download
memory/2688-38-0x000000001AE90000-0x000000001AE9C000-memory.dmp

Filesize
48KB

Download
memory/2688-37-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2688-36-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/2688-35-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/2688-34-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/2688-33-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/2688-32-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/2688-31-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2688-13-0x0000000001000000-0x000000000135C000-memory.dmp

Filesize
3.4MB

Download
memory/2688-14-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2688-42-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/2688-29-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2688-28-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2688-26-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2688-25-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2688-24-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2688-22-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2688-20-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2688-15-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2688-21-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2688-19-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2688-18-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2688-17-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2688-16-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2800-310-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/2800-309-0x0000000000FD0000-0x000000000132C000-memory.dmp

Filesize
3.4MB

Download
memory/2948-906-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2948-905-0x0000000001170000-0x00000000014CC000-memory.dmp

Filesize
3.4MB

Download
memory/3028-668-0x0000000000DA0000-0x00000000010FC000-memory.dmp

Filesize
3.4MB

Download