dcrat | 1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33ee

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Size

4.9MB
MD5

052d4c3f15c5c8287292023613a04e70
SHA1

3cefd72b8de7cdc3b9a713224603fcfbcb148350
SHA256

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33ee
SHA512

8a91c712564fb3add3b9b66eb259a0321fb1bcb5cd3642667a9a0b3a34cb2b30431e4455d457a95ddef01921a1a88830e2dcb3aab2d3949f160f8da9486c224c
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		2772	schtasks.exe
		2204	schtasks.exe
		2200	schtasks.exe
		2456	schtasks.exe
		1704	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3		1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
		2608	schtasks.exe
		1032	schtasks.exe
		1780	schtasks.exe
		2928	schtasks.exe
		1160	schtasks.exe
		1748	schtasks.exe
		2804	schtasks.exe
		1620	schtasks.exe
		2636	schtasks.exe
		2076	schtasks.exe
		992	schtasks.exe
		2620	schtasks.exe
		288	schtasks.exe
		2408	schtasks.exe
		2728	schtasks.exe
File created	C:\Program Files\DVD Maker\es-ES\6cb0b6c459d5d3		1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
		2536	schtasks.exe
		1656	schtasks.exe
		2952	schtasks.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240		1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
		2600	schtasks.exe
		2212	schtasks.exe
		1328	schtasks.exe
		2380	schtasks.exe
		2756	schtasks.exe
		928	schtasks.exe
		804	schtasks.exe
		2208	schtasks.exe
		2260	schtasks.exe
		1640	schtasks.exe
		940	schtasks.exe
		2884	schtasks.exe
		2488	schtasks.exe
		2744	schtasks.exe
		2984	schtasks.exe
		1608	schtasks.exe
		2920	schtasks.exe
		828	schtasks.exe
		1480	schtasks.exe
		2972	schtasks.exe
		2252	schtasks.exe
		3056	schtasks.exe
		1400	schtasks.exe
		1788	schtasks.exe
		400	schtasks.exe
		2064	schtasks.exe
		2660	schtasks.exe
		2476	schtasks.exe
		2228	schtasks.exe
		2788	schtasks.exe
		2300	schtasks.exe
		1056	schtasks.exe
		2528	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
		1724	schtasks.exe
		2608	schtasks.exe
		2876	schtasks.exe
		2840	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2116	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2116	schtasks.exe	29

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3012-3-0x000000001B6D0000-0x000000001B7FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2168	powershell.exe
2644	powershell.exe
900	powershell.exe
1556	powershell.exe
2204	powershell.exe
2276	powershell.exe
2324	powershell.exe
1240	powershell.exe
1920	powershell.exe
1648	powershell.exe
756	powershell.exe
2280	powershell.exe
2676	powershell.exe
1676	powershell.exe
2288	powershell.exe
2484	powershell.exe
2320	powershell.exe
1920	powershell.exe
1588	powershell.exe
1280	powershell.exe
1848	powershell.exe
3012	powershell.exe
844	powershell.exe
2208	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
2996	dwm.exe
2500	dwm.exe
756	dwm.exe
1016	dwm.exe
328	dwm.exe
1964	dwm.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in Program Files directory 30 IoCs

Processes:

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\DVD Maker\es-ES\dwm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\Uninstall Information\Idle.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\smss.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\69ddcba757bf72	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6203df4a6bafc7	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD3F.tmp	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\dwm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\6cb0b6c459d5d3	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\smss.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF62.tmp	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\DVD Maker\es-ES\6cb0b6c459d5d3	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCX8F9.tmp	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Windows Portable Devices\dwm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\dwm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

Drops file in Windows directory 3 IoCs

Processes:

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\101b941d020240	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2744	schtasks.exe
2608	schtasks.exe
2600	schtasks.exe
1704	schtasks.exe
1608	schtasks.exe
1400	schtasks.exe
400	schtasks.exe
2408	schtasks.exe
2208	schtasks.exe
2620	schtasks.exe
2528	schtasks.exe
1160	schtasks.exe
288	schtasks.exe
2300	schtasks.exe
1780	schtasks.exe
2920	schtasks.exe
1640	schtasks.exe
2728	schtasks.exe
940	schtasks.exe
1620	schtasks.exe
3056	schtasks.exe
1032	schtasks.exe
2076	schtasks.exe
1748	schtasks.exe
2772	schtasks.exe
2804	schtasks.exe
2204	schtasks.exe
828	schtasks.exe
1724	schtasks.exe
2228	schtasks.exe
1656	schtasks.exe
928	schtasks.exe
1788	schtasks.exe
2840	schtasks.exe
2788	schtasks.exe
2608	schtasks.exe
1480	schtasks.exe
2260	schtasks.exe
2660	schtasks.exe
2064	schtasks.exe
2928	schtasks.exe
2476	schtasks.exe
2884	schtasks.exe
2952	schtasks.exe
2456	schtasks.exe
2212	schtasks.exe
1328	schtasks.exe
992	schtasks.exe
2488	schtasks.exe
2536	schtasks.exe
2756	schtasks.exe
2636	schtasks.exe
2972	schtasks.exe
2876	schtasks.exe
2200	schtasks.exe
804	schtasks.exe
2252	schtasks.exe
2984	schtasks.exe
2380	schtasks.exe
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
1848	powershell.exe
1648	powershell.exe
2276	powershell.exe
2208	powershell.exe
2676	powershell.exe
1920	powershell.exe
2320	powershell.exe
2204	powershell.exe
1588	powershell.exe
2280	powershell.exe
1280	powershell.exe
844	powershell.exe
1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
756	powershell.exe
2644	powershell.exe
2168	powershell.exe
2288	powershell.exe
1556	powershell.exe
2324	powershell.exe
1920	powershell.exe
1240	powershell.exe
900	powershell.exe
2484	powershell.exe
3012	powershell.exe
1676	powershell.exe
2996	dwm.exe
2500	dwm.exe
756	dwm.exe
1016	dwm.exe
328	dwm.exe
1964	dwm.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2996	dwm.exe
Token: SeDebugPrivilege	2500	dwm.exe
Token: SeDebugPrivilege	756	dwm.exe
Token: SeDebugPrivilege	1016	dwm.exe
Token: SeDebugPrivilege	328	dwm.exe
Token: SeDebugPrivilege	1964	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

description	pid	Process	procid_target
PID 3012 wrote to memory of 1648	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	45
PID 3012 wrote to memory of 1648	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	45
PID 3012 wrote to memory of 1648	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	45
PID 3012 wrote to memory of 844	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	46
PID 3012 wrote to memory of 844	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	46
PID 3012 wrote to memory of 844	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	46
PID 3012 wrote to memory of 2320	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	48
PID 3012 wrote to memory of 2320	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	48
PID 3012 wrote to memory of 2320	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	48
PID 3012 wrote to memory of 1848	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	49
PID 3012 wrote to memory of 1848	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	49
PID 3012 wrote to memory of 1848	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	49
PID 3012 wrote to memory of 1920	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	51
PID 3012 wrote to memory of 1920	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	51
PID 3012 wrote to memory of 1920	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	51
PID 3012 wrote to memory of 2276	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	53
PID 3012 wrote to memory of 2276	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	53
PID 3012 wrote to memory of 2276	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	53
PID 3012 wrote to memory of 2204	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	54
PID 3012 wrote to memory of 2204	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	54
PID 3012 wrote to memory of 2204	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	54
PID 3012 wrote to memory of 1280	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	56
PID 3012 wrote to memory of 1280	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	56
PID 3012 wrote to memory of 1280	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	56
PID 3012 wrote to memory of 1588	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	57
PID 3012 wrote to memory of 1588	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	57
PID 3012 wrote to memory of 1588	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	57
PID 3012 wrote to memory of 2676	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	59
PID 3012 wrote to memory of 2676	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	59
PID 3012 wrote to memory of 2676	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	59
PID 3012 wrote to memory of 2280	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	61
PID 3012 wrote to memory of 2280	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	61
PID 3012 wrote to memory of 2280	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	61
PID 3012 wrote to memory of 2208	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	62
PID 3012 wrote to memory of 2208	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	62
PID 3012 wrote to memory of 2208	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	62
PID 3012 wrote to memory of 1528	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	69
PID 3012 wrote to memory of 1528	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	69
PID 3012 wrote to memory of 1528	3012	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	69
PID 1528 wrote to memory of 1676	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	115
PID 1528 wrote to memory of 1676	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	115
PID 1528 wrote to memory of 1676	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	115
PID 1528 wrote to memory of 756	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	116
PID 1528 wrote to memory of 756	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	116
PID 1528 wrote to memory of 756	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	116
PID 1528 wrote to memory of 2324	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	117
PID 1528 wrote to memory of 2324	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	117
PID 1528 wrote to memory of 2324	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	117
PID 1528 wrote to memory of 3012	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	118
PID 1528 wrote to memory of 3012	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	118
PID 1528 wrote to memory of 3012	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	118
PID 1528 wrote to memory of 2288	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	119
PID 1528 wrote to memory of 2288	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	119
PID 1528 wrote to memory of 2288	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	119
PID 1528 wrote to memory of 2168	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	120
PID 1528 wrote to memory of 2168	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	120
PID 1528 wrote to memory of 2168	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	120
PID 1528 wrote to memory of 2644	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	121
PID 1528 wrote to memory of 2644	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	121
PID 1528 wrote to memory of 2644	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	121
PID 1528 wrote to memory of 900	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	122
PID 1528 wrote to memory of 900	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	122
PID 1528 wrote to memory of 900	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	122
PID 1528 wrote to memory of 1556	1528	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe	123

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exedwm.exe1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
"C:\Users\Admin\AppData\Local\Temp\1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe
  "C:\Users\Admin\AppData\Local\Temp\1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33eeN.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Users\Default User\dwm.exe
    "C:\Users\Default User\dwm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2996
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcf9dfea-b183-4207-9412-08d4ef4222f6.vbs"
      4⤵
      PID:1824
    - - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4d2f545-8940-411b-9eea-632704fc0d60.vbs"
        6⤵
        
        PID:1792
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1deb1ea-33c7-4773-b6f6-946fc3a4f2d3.vbs"
        8⤵
        
        PID:2468
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b0ac4a-ef81-4eb1-a4cd-c23a7d97ef84.vbs"
        10⤵
        
        PID:1856
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5d69670-b011-4095-b638-b60b9211d0d8.vbs"
        12⤵
        
        PID:2592
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad7953c-5e0a-4b6b-9764-3936bf7b5c69.vbs"
        14⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5110f2f8-b289-4e49-b87d-ec04f7dd64fb.vbs"
        14⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f689859-7472-4e19-980d-a365d2c31174.vbs"
        12⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a92c94-6a15-4055-b6fd-dd3861dfd9b2.vbs"
        10⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb771a0e-bba1-44e3-8590-831c3f2a978b.vbs"
        8⤵
        
        PID:1992
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e49f8d4d-57b7-4b54-b9b8-6778284e82cc.vbs"
        6⤵
        
        PID:540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30fd7329-4c1e-4484-9be0-84094f72a567.vbs"
      4⤵
      PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\lsm.exe

Filesize
4.9MB

MD5
052d4c3f15c5c8287292023613a04e70

SHA1
3cefd72b8de7cdc3b9a713224603fcfbcb148350

SHA256
1bf46be35cd2b12bdba1eea93dc2cbed8b02fd40bb1ecc955edd2d20120b33ee

SHA512
8a91c712564fb3add3b9b66eb259a0321fb1bcb5cd3642667a9a0b3a34cb2b30431e4455d457a95ddef01921a1a88830e2dcb3aab2d3949f160f8da9486c224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\30fd7329-4c1e-4484-9be0-84094f72a567.vbs

Filesize
481B

MD5
ad341880c8d21d74b88d64c7d1e3e327

SHA1
1a284647cf9dfc4ce5cea3c610083f89a4fef710

SHA256
5711038974755e090a463131494b56dccce5b34d3bbe1b59721269177d4859d3

SHA512
9326ef6def12e60ffe401f7d241c9e859ecd7bde7df384ef3874a8dc65caee4a75a814ccb31f667c59cd48f81122dbb4db6b752b297f74a3bbc6fa08bcd8fbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1deb1ea-33c7-4773-b6f6-946fc3a4f2d3.vbs

Filesize
704B

MD5
32095a9c6eda8560090e058ded8a907f

SHA1
8d3901c9ee8158bc6a6fb4ecbc276e151431c85d

SHA256
7040163771cd369549cb3d5a88465866a726f4361ff8d139a1b1051bfaf374ff

SHA512
0398e84661f86b2769c43f249aeda05c2679c397064764a4a8a19ee4a4fb7447e7758db889ea7472fd8f73603e454ead1c8c83e7bfd689ce88c0faa12bb5f662

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4d2f545-8940-411b-9eea-632704fc0d60.vbs

Filesize
705B

MD5
24c49ad167dc2245a012cdcd01681b4f

SHA1
97367cf65ed57239ab8f3c7d6756f31574ac119c

SHA256
371fd1ee0befd720bb7bc32797c083f93abc7acbae0293dab8918f17c95f3fa8

SHA512
334572548ab766ae4e8cb75939d691b94f8ee73ac9c237828ec3875671d329fbf1064cef03e3b76d8b904afa219166478bc35ac7f71b61889e9e390a57480e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aad7953c-5e0a-4b6b-9764-3936bf7b5c69.vbs

Filesize
705B

MD5
b57d4eedfee72dbbc4243d470061c534

SHA1
95ec6600a080e7780ffd7f6e18772cd08dec9a51

SHA256
1443ef694d42377379c100f6cf394b83576098187940fb7e1b08ae7d555266a7

SHA512
cb184bdced1dbe4cc5bc2c00b43b95cf0c8c8719a9fdc3222cdb4c64e5ddbbe2c00458e0d16921a8979430b6cd59a8e057e8202829e272efab6a53f62a125cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d69670-b011-4095-b638-b60b9211d0d8.vbs

Filesize
704B

MD5
0ca1395109805056884ffef6578e437e

SHA1
efcecc9145d7822d6779ba109225d6fc63f6d73b

SHA256
d58e6f4630562270808ca686b1d122e4f082036e633137796bd5a95ba93f57e3

SHA512
3ce5b3b07854a737ddaca415b42bce51f399130203f4bc88f818cf765fe628982df2a9c8a5351bd7a7725f2200c017db90b3eafa0d59478c1c93034fa8e29ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4b0ac4a-ef81-4eb1-a4cd-c23a7d97ef84.vbs

Filesize
705B

MD5
2e81cb5516fcb4fc3a4753b08120abb4

SHA1
2c764c81bb3925c2b2ab038513bf24703aeea2a2

SHA256
baeeb9bd5d66a5ccfb31867bac383bdf9546b0920abed1f4cfa22cb499873b26

SHA512
c60a72183a533667ccf0972fbd096c5e8a940f190014543e551de902d73e14405cc31d39508b5280e656b9c8817bae5ce94f4cbcae90e6e389490146a011aaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcf9dfea-b183-4207-9412-08d4ef4222f6.vbs

Filesize
705B

MD5
d93c21141e5b3655aa8b4942185aabe6

SHA1
f7aed206a7aa2ed1cbd32c4a68efa6e0bf929acc

SHA256
afbf28ce7a79237bae006b0a656a027cd2e3455c9bf2369ebaa7e8d1ed54fdeb

SHA512
22be87ba97e8ee49b5b40dc908e0e5f013fdfc0cc62773d0df38eff8e49179ca05686c8559f26b1da18d79aaeabe37cedd26f565246dba9f300be2af25c80425

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BC2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
af53435ee07709ec7290c8a143a7d0cc

SHA1
986969a0352dda59953f5b6daeb9c128ead1a7f4

SHA256
ba2b0cd8ae9ab22a1f774d8895ff4d9943760a887fdcccc59a08262e3251d3b3

SHA512
94e50f6dd058c3282a3d935fd910677b30a5814367e823965a1a90b56c0fbfaea98b84924b177aac9a905a62b44b329f54c0bef398adf6d32459112ac830632f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/328-320-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/328-321-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/756-212-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/756-207-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/756-291-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1528-131-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/1848-79-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1848-77-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1964-336-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/2500-276-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/2996-249-0x0000000000F70000-0x0000000001464000-memory.dmp

Filesize
5.0MB

Download
memory/3012-10-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3012-14-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/3012-9-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/3012-8-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/3012-16-0x00000000025C0000-0x00000000025CC000-memory.dmp

Filesize
48KB

Download
memory/3012-11-0x00000000023F0000-0x00000000023FA000-memory.dmp

Filesize
40KB

Download
memory/3012-12-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/3012-99-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-1-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/3012-15-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/3012-13-0x0000000002410000-0x000000000241E000-memory.dmp

Filesize
56KB

Download
memory/3012-7-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/3012-6-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/3012-5-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/3012-4-0x00000000006F0000-0x000000000070C000-memory.dmp

Filesize
112KB

Download
memory/3012-3-0x000000001B6D0000-0x000000001B7FE000-memory.dmp

Filesize
1.2MB

Download
memory/3012-2-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download