dcrat | e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Size

4.9MB
MD5

c1757f1892079f80e08372461f2bbf30
SHA1

0e0f61b61d3de07e3026b6742fb4a182625d0af4
SHA256

e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26
SHA512

0e971ae529960d59ddacbda72f5dbf9b6e03cfb2666b3fc986c39d58690266b830257de77ee256601aad909e86cc1e8d77ef45bb365d9a2c29f5dfc813d5826a
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2848	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2848	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1388-3-0x000000001ACB0000-0x000000001ADDE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2976	powershell.exe
2452	powershell.exe
1664	powershell.exe
2464	powershell.exe
2008	powershell.exe
2428	powershell.exe
1672	powershell.exe
1612	powershell.exe
2460	powershell.exe
1916	powershell.exe
2292	powershell.exe
396	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1960	spoolsv.exe
900	spoolsv.exe
2400	spoolsv.exe
2464	spoolsv.exe
3052	spoolsv.exe
3000	spoolsv.exe
1068	spoolsv.exe
272	spoolsv.exe
2684	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\ja-JP\56085415360792	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\dllhost.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\5940a34987c991	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXF72D.tmp	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\RCX1AE.tmp	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCX3B2.tmp	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\services.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\c5b4cb5e9653cc	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX623.tmp	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\f3b6ecef712a24	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\dllhost.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\services.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\Corporate\RCXFB35.tmp	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Windows\Help\Corporate\spoolsv.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Windows\tracing\RCX894.tmp	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File opened for modification	C:\Windows\tracing\services.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Windows\Help\Corporate\spoolsv.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Windows\Help\Corporate\f3b6ecef712a24	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Windows\tracing\services.exe	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
File created	C:\Windows\tracing\c5b4cb5e9653cc	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1280	schtasks.exe
2284	schtasks.exe
1120	schtasks.exe
2500	schtasks.exe
1908	schtasks.exe
2888	schtasks.exe
2240	schtasks.exe
624	schtasks.exe
2260	schtasks.exe
2612	schtasks.exe
1748	schtasks.exe
2960	schtasks.exe
1416	schtasks.exe
1992	schtasks.exe
2820	schtasks.exe
2892	schtasks.exe
3040	schtasks.exe
2388	schtasks.exe
2148	schtasks.exe
2548	schtasks.exe
2628	schtasks.exe
3000	schtasks.exe
1752	schtasks.exe
2020	schtasks.exe
340	schtasks.exe
2004	schtasks.exe
2744	schtasks.exe
860	schtasks.exe
2348	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
2976	powershell.exe
2460	powershell.exe
2452	powershell.exe
1672	powershell.exe
1664	powershell.exe
2464	powershell.exe
396	powershell.exe
2428	powershell.exe
1916	powershell.exe
2008	powershell.exe
2292	powershell.exe
1612	powershell.exe
1960	spoolsv.exe
900	spoolsv.exe
2400	spoolsv.exe
2464	spoolsv.exe
3052	spoolsv.exe
3000	spoolsv.exe
1068	spoolsv.exe
272	spoolsv.exe
2684	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1960	spoolsv.exe
Token: SeDebugPrivilege	900	spoolsv.exe
Token: SeDebugPrivilege	2400	spoolsv.exe
Token: SeDebugPrivilege	2464	spoolsv.exe
Token: SeDebugPrivilege	3052	spoolsv.exe
Token: SeDebugPrivilege	3000	spoolsv.exe
Token: SeDebugPrivilege	1068	spoolsv.exe
Token: SeDebugPrivilege	272	spoolsv.exe
Token: SeDebugPrivilege	2684	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2428	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	62
PID 1388 wrote to memory of 2428	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	62
PID 1388 wrote to memory of 2428	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	62
PID 1388 wrote to memory of 396	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	63
PID 1388 wrote to memory of 396	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	63
PID 1388 wrote to memory of 396	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	63
PID 1388 wrote to memory of 2976	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	64
PID 1388 wrote to memory of 2976	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	64
PID 1388 wrote to memory of 2976	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	64
PID 1388 wrote to memory of 2452	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	65
PID 1388 wrote to memory of 2452	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	65
PID 1388 wrote to memory of 2452	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	65
PID 1388 wrote to memory of 1672	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	66
PID 1388 wrote to memory of 1672	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	66
PID 1388 wrote to memory of 1672	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	66
PID 1388 wrote to memory of 1612	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	67
PID 1388 wrote to memory of 1612	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	67
PID 1388 wrote to memory of 1612	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	67
PID 1388 wrote to memory of 1664	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	68
PID 1388 wrote to memory of 1664	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	68
PID 1388 wrote to memory of 1664	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	68
PID 1388 wrote to memory of 2464	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	69
PID 1388 wrote to memory of 2464	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	69
PID 1388 wrote to memory of 2464	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	69
PID 1388 wrote to memory of 2460	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	70
PID 1388 wrote to memory of 2460	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	70
PID 1388 wrote to memory of 2460	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	70
PID 1388 wrote to memory of 1916	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	71
PID 1388 wrote to memory of 1916	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	71
PID 1388 wrote to memory of 1916	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	71
PID 1388 wrote to memory of 2008	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	80
PID 1388 wrote to memory of 2008	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	80
PID 1388 wrote to memory of 2008	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	80
PID 1388 wrote to memory of 2292	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	83
PID 1388 wrote to memory of 2292	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	83
PID 1388 wrote to memory of 2292	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	83
PID 1388 wrote to memory of 1356	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	86
PID 1388 wrote to memory of 1356	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	86
PID 1388 wrote to memory of 1356	1388	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe	86
PID 1356 wrote to memory of 408	1356	cmd.exe	88
PID 1356 wrote to memory of 408	1356	cmd.exe	88
PID 1356 wrote to memory of 408	1356	cmd.exe	88
PID 1356 wrote to memory of 1960	1356	cmd.exe	89
PID 1356 wrote to memory of 1960	1356	cmd.exe	89
PID 1356 wrote to memory of 1960	1356	cmd.exe	89
PID 1960 wrote to memory of 1668	1960	spoolsv.exe	90
PID 1960 wrote to memory of 1668	1960	spoolsv.exe	90
PID 1960 wrote to memory of 1668	1960	spoolsv.exe	90
PID 1960 wrote to memory of 2920	1960	spoolsv.exe	91
PID 1960 wrote to memory of 2920	1960	spoolsv.exe	91
PID 1960 wrote to memory of 2920	1960	spoolsv.exe	91
PID 1668 wrote to memory of 900	1668	WScript.exe	92
PID 1668 wrote to memory of 900	1668	WScript.exe	92
PID 1668 wrote to memory of 900	1668	WScript.exe	92
PID 900 wrote to memory of 1728	900	spoolsv.exe	93
PID 900 wrote to memory of 1728	900	spoolsv.exe	93
PID 900 wrote to memory of 1728	900	spoolsv.exe	93
PID 900 wrote to memory of 2728	900	spoolsv.exe	94
PID 900 wrote to memory of 2728	900	spoolsv.exe	94
PID 900 wrote to memory of 2728	900	spoolsv.exe	94
PID 1728 wrote to memory of 2400	1728	WScript.exe	95
PID 1728 wrote to memory of 2400	1728	WScript.exe	95
PID 1728 wrote to memory of 2400	1728	WScript.exe	95
PID 2400 wrote to memory of 2888	2400	spoolsv.exe	96

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
"C:\Users\Admin\AppData\Local\Temp\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iwTR1UogfX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1960
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5153c2bb-8d42-42ad-b01e-37b02844e99d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:900
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22075bff-7c31-4d40-85c7-cf69440e4c0d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd44b810-d1c5-4bab-a1fd-3842c9e70a15.vbs"
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9557f575-8c93-425f-9382-72f11f14ab15.vbs"
        10⤵
        
        PID:2436
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\406a274b-2649-4e9c-9e1c-7d5af133b2d0.vbs"
        12⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc3fd010-47f2-4995-be25-977ea46b7c2d.vbs"
        14⤵
        
        PID:2692
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd1cfa04-86bc-46b2-ab4f-1484b99cd092.vbs"
        16⤵
        
        PID:268
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d0992b-2db3-4bb0-9493-57c560e85d99.vbs"
        18⤵
        
        PID:792
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c596326a-3710-43d9-81e7-e58808bca50d.vbs"
        18⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49d8e960-1feb-4600-b138-0e43e731c642.vbs"
        16⤵
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb27982d-355a-4316-af06-50067cdb4371.vbs"
        14⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31d5110d-6af3-49f8-9f27-7df31fc04b1f.vbs"
        12⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74b3e473-1ef6-45e4-8316-85e209ed3688.vbs"
        10⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d169afd7-56c0-4f08-bea0-4f7f6598f9b7.vbs"
        8⤵
        
        PID:1904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94f4b745-a1cf-4bbe-a06a-8ad6498f8fc0.vbs"
        6⤵
        
        PID:2728
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c21e8d5-114c-4a7e-ade4-36f92d69e4b9.vbs"
      4⤵
      PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Corporate\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Corporate\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26Ne" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26Ne" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Favorites\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe

Filesize
4.9MB

MD5
2980b39d1a196594b409d4db494d6f15

SHA1
5b47cee72f19892933111562e550aee851081d10

SHA256
78809577aec854e8bcb6bb6deaccd33ed16762b2138183f766ae48d471981f8f

SHA512
a9234efeaab87f0b015ccd96a28d0986947001da965777ca8db18257196717ffb36e3e06d19dc877105a36a43a8faa6ee1fc1b901f372d7cb8d8f4ecca2c6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\12d0992b-2db3-4bb0-9493-57c560e85d99.vbs

Filesize
757B

MD5
dafbb90f63e6ac3219f1186bfb79f7a0

SHA1
4aedeb85481aa4dab5a38f2ec3d1e60a594fc321

SHA256
fa13bb1207518d14efcd7c20b26da3d87a5c62d02dab6274c25adcf377187511

SHA512
6e46e363d0b02390bc107b8774e622daaad03edd86418d723dfaa4eb8f9351e32ffa8e123909f54fb734271af32903f02083f536617e62d5ddb44379e9946b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\22075bff-7c31-4d40-85c7-cf69440e4c0d.vbs

Filesize
757B

MD5
6cb58f191ea12b2bcfeb224ff0abc4a8

SHA1
7cd20b50c71b92cc99beccb2c27c7549b90f4191

SHA256
c458c8fff555845a3e842191627bede31229dd39d67785b59340e9c9b2401e71

SHA512
4a93e4703328093b33029a7225800d846845452936b2e8e167320b998cc0661e4981a2855f5f2a444ae6329bae20f96150341face5a97b8e3cbad207f2f464e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\406a274b-2649-4e9c-9e1c-7d5af133b2d0.vbs

Filesize
758B

MD5
1223c1a1c98ef9bc5e7d070e63587640

SHA1
9d3a7a91a3756a92e8a8af407afb8ec9a64198d6

SHA256
b2701a6e1295080bbb8b8540cd470f779e4c8b55af0964413f799eb4b88015bf

SHA512
c1512ef5714581363f57726b4feecb0b36936109ee9468f5d3798124fbbea7e6ceffcd23e17fcef846e399c0deb591f46b2e6f037aed8a5a3d434cbb9241737b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5153c2bb-8d42-42ad-b01e-37b02844e99d.vbs

Filesize
758B

MD5
f3eaa1a335b4afe633256d592c8fe4f4

SHA1
ccc7f04af2a72153a3d32c2c5c8f019419d069d2

SHA256
7ed1ed240dd7fbd08d4d994209c736569fe602302e788a48e260ffb09cf85acb

SHA512
b2da4823c140b77bff738b1b566a50da00a1ccbcb192c1a0785f3d47bcd39e33465c9b70dce9cf522c20755bac6634e328d74298716b2a4b5652886961cc3f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c21e8d5-114c-4a7e-ade4-36f92d69e4b9.vbs

Filesize
534B

MD5
465b99c99b9e6e202f0d934e0e59c432

SHA1
14e95f566e8593e90bfe9fde6de419919d2e7360

SHA256
b2b748823d24aefbbc7e76e01572542c00ec2ce936ea3771b1684cdabc539749

SHA512
db5741712237ba5f99613f05255df7578f9cd64d4baf786373a0aa7a0c0e008482a375c8b8983b1a4800dcd9dda72645e597bbcce5c5f223fb6adb3643f9038d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9557f575-8c93-425f-9382-72f11f14ab15.vbs

Filesize
758B

MD5
572cbe36bf2f0b9999063d7e800d93ca

SHA1
0b58f2dced2d5bea451547ac81b09ffe8efe2944

SHA256
64981fa10d5697a03a45640bb6f43810b603dbabaad9ec32fdb6a09a776906d1

SHA512
369c0dd8e03c94f81ce8f7e76d72b8e7a56b7c079477734da8ce14fe13d842b6b477ff54700b0f6884ceded7701ae94cd6f06639d6dde8a494068c3fc60141fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3fd010-47f2-4995-be25-977ea46b7c2d.vbs

Filesize
758B

MD5
9a63707c8cb78a2f378c4be19d876542

SHA1
0e45b0582103a0069b212f08e80122c0f3065bbd

SHA256
7c81c231a145da5a6a2c290ec1398b92cf8f978d20f3dc71f824492bbdbee5e2

SHA512
dad5d0fde07e4eedc1cf1104fdb21320b259afc49a78266263a91e94948367dce537a991dae1bd7d4b7a229b2ab9a2efa4aa72b2fa4d59e22f9136efe56676af

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd1cfa04-86bc-46b2-ab4f-1484b99cd092.vbs

Filesize
758B

MD5
2c2304c1ee2e530fc301ad1ae95e5608

SHA1
c3da9859ed331c690a97aa9a70ed4b644b7d281b

SHA256
e2a45639d5db35c1abf4f0f766de2a850312538ce82691db0410f406ef6d580d

SHA512
589856d7eabce2ed00943e9c011aefe04c5511bc8928040be6abc8504c816c998e083e918ecdbb864e5d02123ddd7e08e342e7d2b3d399596b1c0d128475be22

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd44b810-d1c5-4bab-a1fd-3842c9e70a15.vbs

Filesize
758B

MD5
bfc2f8f5d4ace2690f36eca565a03c1f

SHA1
d156d60396907f110ebe90eefe2ff064e6756c22

SHA256
0123318e97f9e2b6a323a641bb635ac360f676e35197dd92696731fddaf002b5

SHA512
86b7028ae6cbfe729753ff68b5e229bfaa968122705bf66fde52354bd62345239b09fa72bbe29b0f4a81a2119a3c58a6dd975f37e47d6a52d70cf5164da624e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwTR1UogfX.bat

Filesize
247B

MD5
01ab9510864f5941a5aa07a6f7d332ab

SHA1
7a27eedd30603c544c32bc867666c10c8054ec7b

SHA256
e9f1b73272907dcd974a67317f9a8113032aedf5884e32883806d2ec4cd11bab

SHA512
a9ab0482d80f6b05e8064bec7dcfc0380083e569fc66ee5347f2a2941d621fb8c60d51559e5d3683233fb6e0234e1e68a0bbea9a487b44862fcc3907281ed866

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
18e7e03dc4deb907ef24716284a5e020

SHA1
c2d47361ca05a09f5372edffafcb52de2d020b1e

SHA256
1eccfb59bebb58f253276bcd42b87fd7f2d2da047a8cf8174bfbdccfdb317762

SHA512
9e5f4d1b84bea8136e904c3c0d65c59a4aff48d4609aac3fb15158c6aa77cd9ea2f23276ea246a98eb4b278cb03edf14838e44f015a22e93480060530f8fce99

Download Submit
C:\Users\Public\Favorites\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe

Filesize
4.9MB

MD5
c1757f1892079f80e08372461f2bbf30

SHA1
0e0f61b61d3de07e3026b6742fb4a182625d0af4

SHA256
e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26

SHA512
0e971ae529960d59ddacbda72f5dbf9b6e03cfb2666b3fc986c39d58690266b830257de77ee256601aad909e86cc1e8d77ef45bb365d9a2c29f5dfc813d5826a

Download Submit
memory/272-284-0x00000000013D0000-0x00000000018C4000-memory.dmp

Filesize
5.0MB

Download
memory/900-195-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/1388-10-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/1388-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1388-1-0x0000000000E70000-0x0000000001364000-memory.dmp

Filesize
5.0MB

Download
memory/1388-15-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/1388-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-160-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-14-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/1388-13-0x0000000000D60000-0x0000000000D6E000-memory.dmp

Filesize
56KB

Download
memory/1388-3-0x000000001ACB0000-0x000000001ADDE000-memory.dmp

Filesize
1.2MB

Download
memory/1388-4-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1388-12-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/1388-11-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/1388-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/1388-16-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/1388-7-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/1388-5-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/1388-8-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1388-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1960-181-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/1960-180-0x0000000000FE0000-0x00000000014D4000-memory.dmp

Filesize
5.0MB

Download
memory/2400-210-0x0000000001240000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2464-225-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2684-299-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/2976-132-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2976-133-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/3000-255-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/3052-240-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download