dcrat | d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Size

1.0MB
MD5

aea3d4caf079e299eea0b385a4dbbedd
SHA1

74b93127a847e2e2f2af6baa6b4ad6431c02ac63
SHA256

d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5
SHA512

8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9
SSDEEP

12288:sP2N7DeTXX5qeIeLsdxv/xedn6IwyMbfhC6hQs3uUbG6ddD7HFPMmXgAff+75LMF:sP28z7IeYxvJeKHdZH3OacV3d9CE4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 35 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2636	schtasks.exe
		672	schtasks.exe
		1948	schtasks.exe
		2884	schtasks.exe
		2660	schtasks.exe
		1504	schtasks.exe
		1516	schtasks.exe
		2024	schtasks.exe
		2744	schtasks.exe
		1824	schtasks.exe
		2032	schtasks.exe
		2488	schtasks.exe
		2508	schtasks.exe
		2896	schtasks.exe
		2440	schtasks.exe
		640	schtasks.exe
		300	schtasks.exe
		2208	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
		1756	schtasks.exe
		2844	schtasks.exe
		1148	schtasks.exe
		2596	schtasks.exe
		2188	schtasks.exe
		2132	schtasks.exe
		3064	schtasks.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792		d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
		1104	schtasks.exe
		2824	schtasks.exe
		2568	schtasks.exe
		2036	schtasks.exe
		540	schtasks.exe
		2924	schtasks.exe
		2940	schtasks.exe
		2964	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\OSPPSVC.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1628	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1628	schtasks.exe	31

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2408-1-0x0000000000B60000-0x0000000000C6E000-memory.dmp	dcrat
behavioral1/files/0x00050000000195c5-26.dat	dcrat
behavioral1/memory/2376-50-0x00000000010F0000-0x00000000011FE000-memory.dmp	dcrat
behavioral1/memory/1216-141-0x0000000001380000-0x000000000148E000-memory.dmp	dcrat
behavioral1/memory/2460-164-0x00000000013C0000-0x00000000014CE000-memory.dmp	dcrat
behavioral1/memory/3024-220-0x00000000000A0000-0x00000000001AE000-memory.dmp	dcrat
behavioral1/memory/2892-232-0x0000000000B10000-0x0000000000C1E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe
700	powershell.exe
960	powershell.exe
1652	powershell.exe
288	powershell.exe
1712	powershell.exe
308	powershell.exe
2200	powershell.exe
2496	powershell.exe
1296	powershell.exe
1880	powershell.exe
484	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2376	System.exe
556	System.exe
2880	System.exe
1216	System.exe
3064	System.exe
2460	System.exe
2636	System.exe
2688	System.exe
3056	System.exe
1056	System.exe
3024	System.exe
2892	System.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5 = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5 = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Downloads\\dllhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\OSPPSVC.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsm.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\OSPPSVC.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\Lang\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Downloads\\dllhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files (x86)\Uninstall Information\taskhost.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files (x86)\Uninstall Information\b75386f1303e64	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPHost\csrss.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1148	schtasks.exe
2568	schtasks.exe
2596	schtasks.exe
1824	schtasks.exe
2844	schtasks.exe
2488	schtasks.exe
2824	schtasks.exe
2636	schtasks.exe
672	schtasks.exe
2896	schtasks.exe
640	schtasks.exe
2744	schtasks.exe
2940	schtasks.exe
2884	schtasks.exe
300	schtasks.exe
2024	schtasks.exe
3064	schtasks.exe
1948	schtasks.exe
2660	schtasks.exe
2188	schtasks.exe
2132	schtasks.exe
2032	schtasks.exe
2924	schtasks.exe
2440	schtasks.exe
2964	schtasks.exe
2208	schtasks.exe
2508	schtasks.exe
1504	schtasks.exe
1104	schtasks.exe
2036	schtasks.exe
540	schtasks.exe
1516	schtasks.exe
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
700	powershell.exe
2200	powershell.exe
308	powershell.exe
2696	powershell.exe
484	powershell.exe
288	powershell.exe
1296	powershell.exe
1880	powershell.exe
1652	powershell.exe
2496	powershell.exe
960	powershell.exe
2376	System.exe
1712	powershell.exe
556	System.exe
2880	System.exe
1216	System.exe
3064	System.exe
2460	System.exe
2636	System.exe
2688	System.exe
3056	System.exe
1056	System.exe
3024	System.exe
2892	System.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2376	System.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	556	System.exe
Token: SeDebugPrivilege	2880	System.exe
Token: SeDebugPrivilege	1216	System.exe
Token: SeDebugPrivilege	3064	System.exe
Token: SeDebugPrivilege	2460	System.exe
Token: SeDebugPrivilege	2636	System.exe
Token: SeDebugPrivilege	2688	System.exe
Token: SeDebugPrivilege	3056	System.exe
Token: SeDebugPrivilege	1056	System.exe
Token: SeDebugPrivilege	3024	System.exe
Token: SeDebugPrivilege	2892	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 308	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	65
PID 2408 wrote to memory of 308	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	65
PID 2408 wrote to memory of 308	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	65
PID 2408 wrote to memory of 2496	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	66
PID 2408 wrote to memory of 2496	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	66
PID 2408 wrote to memory of 2496	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	66
PID 2408 wrote to memory of 2200	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	67
PID 2408 wrote to memory of 2200	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	67
PID 2408 wrote to memory of 2200	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	67
PID 2408 wrote to memory of 2696	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	68
PID 2408 wrote to memory of 2696	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	68
PID 2408 wrote to memory of 2696	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	68
PID 2408 wrote to memory of 700	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	69
PID 2408 wrote to memory of 700	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	69
PID 2408 wrote to memory of 700	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	69
PID 2408 wrote to memory of 960	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	70
PID 2408 wrote to memory of 960	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	70
PID 2408 wrote to memory of 960	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	70
PID 2408 wrote to memory of 1296	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	71
PID 2408 wrote to memory of 1296	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	71
PID 2408 wrote to memory of 1296	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	71
PID 2408 wrote to memory of 1652	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	72
PID 2408 wrote to memory of 1652	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	72
PID 2408 wrote to memory of 1652	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	72
PID 2408 wrote to memory of 1880	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	73
PID 2408 wrote to memory of 1880	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	73
PID 2408 wrote to memory of 1880	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	73
PID 2408 wrote to memory of 484	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	74
PID 2408 wrote to memory of 484	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	74
PID 2408 wrote to memory of 484	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	74
PID 2408 wrote to memory of 288	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	75
PID 2408 wrote to memory of 288	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	75
PID 2408 wrote to memory of 288	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	75
PID 2408 wrote to memory of 1712	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	76
PID 2408 wrote to memory of 1712	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	76
PID 2408 wrote to memory of 1712	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	76
PID 2408 wrote to memory of 2376	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	89
PID 2408 wrote to memory of 2376	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	89
PID 2408 wrote to memory of 2376	2408	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	89
PID 2376 wrote to memory of 1104	2376	System.exe	90
PID 2376 wrote to memory of 1104	2376	System.exe	90
PID 2376 wrote to memory of 1104	2376	System.exe	90
PID 2376 wrote to memory of 592	2376	System.exe	91
PID 2376 wrote to memory of 592	2376	System.exe	91
PID 2376 wrote to memory of 592	2376	System.exe	91
PID 1104 wrote to memory of 556	1104	WScript.exe	92
PID 1104 wrote to memory of 556	1104	WScript.exe	92
PID 1104 wrote to memory of 556	1104	WScript.exe	92
PID 556 wrote to memory of 1872	556	System.exe	93
PID 556 wrote to memory of 1872	556	System.exe	93
PID 556 wrote to memory of 1872	556	System.exe	93
PID 556 wrote to memory of 2180	556	System.exe	94
PID 556 wrote to memory of 2180	556	System.exe	94
PID 556 wrote to memory of 2180	556	System.exe	94
PID 1872 wrote to memory of 2880	1872	WScript.exe	95
PID 1872 wrote to memory of 2880	1872	WScript.exe	95
PID 1872 wrote to memory of 2880	1872	WScript.exe	95
PID 2880 wrote to memory of 2836	2880	System.exe	96
PID 2880 wrote to memory of 2836	2880	System.exe	96
PID 2880 wrote to memory of 2836	2880	System.exe	96
PID 2880 wrote to memory of 860	2880	System.exe	97
PID 2880 wrote to memory of 860	2880	System.exe	97
PID 2880 wrote to memory of 860	2880	System.exe	97
PID 2836 wrote to memory of 1216	2836	WScript.exe	98

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
"C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7a79c88-84a3-4005-be4e-b0267d7b05e9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ed0b70-433f-4492-bd21-683ee65dc93d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\314cf0f2-bc4a-410a-8264-5a0d08d2ba0b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\075b6f8b-e92c-434e-b6db-9d0d8547bec1.vbs"
        9⤵
        
        PID:2940
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b58f5813-2eb1-4b0c-b4f1-e20efae91702.vbs"
        11⤵
        
        PID:1116
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a62727-e05d-4bf0-b249-9f30fb4cc725.vbs"
        13⤵
        
        PID:1816
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9431b641-0664-42a9-8657-154c3dbf811a.vbs"
        15⤵
        
        PID:1424
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03bb887e-2810-46d3-b983-47562d57d221.vbs"
        17⤵
        
        PID:3036
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65639df4-713a-428a-923f-941975527b4e.vbs"
        19⤵
        
        PID:3004
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae832cf8-51dc-47fb-90f2-633f4385191f.vbs"
        21⤵
        
        PID:2612
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec69bbcc-76ec-435e-a375-6cddc422794d.vbs"
        23⤵
        
        PID:1784
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8fc7c9d-c2b4-4d9d-b600-37e3d6dc8e02.vbs"
        25⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a82a352-e770-462b-9a08-cfca2a6b2659.vbs"
        25⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6a4205a-39eb-481e-82dc-161038b9e4b0.vbs"
        23⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2624515-5b11-47f7-a817-088981928d7f.vbs"
        21⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e940ea5a-4163-47f1-9158-718e9bc485a4.vbs"
        19⤵
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a90319a-10c7-4878-b2e8-f262dc9908ae.vbs"
        17⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8a4f993-2659-4cf0-b665-3c11634fc257.vbs"
        15⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43f087c3-224c-4d4f-af7e-3b46a7d33018.vbs"
        13⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f15aaf30-316c-4da9-a81e-c9b6fb9fea11.vbs"
        11⤵
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a6ca3b9-2cfd-4ffb-9a64-deeb191a6a26.vbs"
        9⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faaeefd5-11de-4cf7-8155-6adb1a21a788.vbs"
        7⤵
        
        PID:860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d137ea5-8a99-4fcb-821e-e1d66cc6e309.vbs"
        5⤵
        
        PID:2180
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12e55f68-54d2-45cf-8e3f-5e5da22a007a.vbs"
    3⤵
    PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe

Filesize
1.0MB

MD5
aea3d4caf079e299eea0b385a4dbbedd

SHA1
74b93127a847e2e2f2af6baa6b4ad6431c02ac63

SHA256
d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5

SHA512
8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\03bb887e-2810-46d3-b983-47562d57d221.vbs

Filesize
754B

MD5
9b086c45ecc26ed1bf01091f25bf362b

SHA1
3610fc443d5346042924dc2d0e64c41567ec87f6

SHA256
f4ff18638eecd05ca246170a07bee7d50fe51e6ef527c75f9eedb8c1f60a5463

SHA512
bf5ed1730ba3896d06ea75ce0690afe7387fd4c5d8f840082c6982a7727ba8225a07b7ebff39390d4388a5ae825443aba4ae10158f70c861bf1311a083be4e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\075b6f8b-e92c-434e-b6db-9d0d8547bec1.vbs

Filesize
754B

MD5
5e764262c8cbcfd56fd1c9c3007af538

SHA1
5fbb35cf4df528b6c04098296b4a7be531c2a700

SHA256
6193b2673f928499de4795ce59770855b7ddcca949a403e0458e25fef06dd178

SHA512
7f56ab8081e6be96d7be7cd7dd0be0f2258b64c982fc0ed6be5338a3b86c90a8739a494c3a16753cb43d8c0b59c7caaf7b31c8be37565570fc8f4317ac43fe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\12e55f68-54d2-45cf-8e3f-5e5da22a007a.vbs

Filesize
530B

MD5
e887e0567dc20660262e98be559ec820

SHA1
fe6f9738a5a57e83e1af4c0d0493f33e9e3b5459

SHA256
9a445f7e3bb39acd171aa6a7e9638a21481188d6f81946df1c8930a5b9c9676a

SHA512
cf835c87b56e2ace4efbd3bcdc9aad604ce162fd29e54a7d4955017ff4b3e7fab8999154d547521e0a2bdbde8db2b141aa107d61df3c2e7bbd87f78449037f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\314cf0f2-bc4a-410a-8264-5a0d08d2ba0b.vbs

Filesize
754B

MD5
0c5436f81ecc8e5120cc14b64ecf6a72

SHA1
77015b333f6e148a89503420da416ada0b3a507f

SHA256
f130ace9bce2219c620d83f867bc0e4bfaa026516d6464a951049042dfcef95d

SHA512
9ca31e5d5aebbfd9695e22317a68e0546d7abcee86ef6487b8b941a8f0c56593eb3da7633f14fd644be317015f90f0121703d9f3277cd782a8ffae0e4365eead

Download Submit
C:\Users\Admin\AppData\Local\Temp\53a62727-e05d-4bf0-b249-9f30fb4cc725.vbs

Filesize
754B

MD5
f8d8267a7b4da0d8269c55e8cdd22236

SHA1
c70a03e02ac48bc3dea705ca6e6300bac430fe46

SHA256
af6035453922ede8731e36a0fae75f9e195297ce76fe278a242e5ce1c6522605

SHA512
00d801547a0a2aa5ad41647fe5514a343e8cf1600f0a3ac5dc4dfd26b85572dce45c638e811ea2a4dcc274aae1e5c4a82d94fddf82631f11a8fefb647bb8537b

Download Submit
C:\Users\Admin\AppData\Local\Temp\65639df4-713a-428a-923f-941975527b4e.vbs

Filesize
754B

MD5
8936a661a25ac8a315888e9925de8fdf

SHA1
0eeb63f27713105dc90983e5915e1bda38cf2510

SHA256
a2bf00bdff29895dfb3b3aca6ba69255abba0549e69caad015efb8edb69c089a

SHA512
c99bc9ad85475ab98c5a077603a7ad69cd5b3c8166477c7f11aa3422aca4436ff82b3773aaacb53168bc304bd877f02e6e14092a8a1cdee29f58821b1cc2d062

Download Submit
C:\Users\Admin\AppData\Local\Temp\9431b641-0664-42a9-8657-154c3dbf811a.vbs

Filesize
754B

MD5
cc783decf96b743ecdc347dd5ebd879e

SHA1
6d223d28ff3857079d33e67b12654eeb9408c67c

SHA256
0379dd922eecd046e131103779a40f47042a8ee79d9f632cbca8cfd5b98fc6fd

SHA512
fda0f38650cdfc055f37014b623b8589b3002887400453cacf093e8809becc291c4184650093349272957c6f9045444c952aaba3d594faad8c7c16bffb0172c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\94ed0b70-433f-4492-bd21-683ee65dc93d.vbs

Filesize
753B

MD5
d58132b4f0a24165b1cf3ec1901217dd

SHA1
e6ded6147b77eaba361f623c3323e368116987fe

SHA256
bcb6f2e6ac748bb653e568a6c2545a463a827d186bcd57d0eda3a034679167b3

SHA512
efd1cdebba7e565cb804b92c7fce9968b04143f6ac63e684a6dbe345f404cf8c4786b31e79269f70dc7ff7db41f5172dd8c96ad5f827429af3b02d1148e5a94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7a79c88-84a3-4005-be4e-b0267d7b05e9.vbs

Filesize
754B

MD5
2f18ec3930be059ae34392ead2e1be6d

SHA1
40615151acef5422443313f567ea682c8e983820

SHA256
b787e2941f69c907d39fc710cf7abd7a984ba47eaaf7a8b89d00cf6310ddf2bf

SHA512
e78649fded8460fd86570a9201bf63ee24ada460af019ad23ae980094293c9c636262af522bec32e5f6f9699fc59f68a33b025fbb8d32b08bdb7d0ae74c225a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae832cf8-51dc-47fb-90f2-633f4385191f.vbs

Filesize
754B

MD5
beec409c689f8de0d16a96607a58fb6d

SHA1
aaf321c25b96787a145004f2dc9bf9522f2e11fa

SHA256
dbd17f2d56436807dec95aaa7459f965a765b4d049ec4ba4ea4ae56910c739c2

SHA512
b969ead3b164f6229ed958c5cb136b8289bf97eb80cdfc10a4f269c343c17d13994af927d115245f2e77599a35a19b190d61094b2e7c781b894ccfb294007e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\b58f5813-2eb1-4b0c-b4f1-e20efae91702.vbs

Filesize
754B

MD5
fa0ca31b3dcc6db40a203f82db718148

SHA1
f5a0d10e2a6033607649431e390b90d915ee5766

SHA256
8599ff06d82d54ced229047b585600beab39ffa9fccb90269ee09540f86ad455

SHA512
c0acf0dcd469a5da70194037dc338401746474d0e568d6232901fb0c4b62805bdde2dc1015bdb080b0c537fffca0def269eca09a33c1ad3b27b78be3f3766c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8fc7c9d-c2b4-4d9d-b600-37e3d6dc8e02.vbs

Filesize
754B

MD5
86bd5fc987e29da1dbab5a06784693c7

SHA1
c5e885861dcb94f00dd2cbad0ea230824959a506

SHA256
9d1b813db74fc4addfd0d34389785114d60adb699e5077ec8e2e4ce6142a5037

SHA512
675afe3f9690f76cfb1ac9990953bae5932a01fb42d7d1d82cab55eaa7cb92910e06d99922fe3140d17d22506d9e45f6473e4af3cab1520c6a53f0e3cd70ae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec69bbcc-76ec-435e-a375-6cddc422794d.vbs

Filesize
754B

MD5
4133518ffacac95d431c045f6c48a516

SHA1
d225dcb255a6b485c69e88a1580ab3ecc35e3f2b

SHA256
bf7e5d26f90cd13f73ef9573f3f072971d8f65bf3224e68a845bc83b593f04f8

SHA512
8038b61ccf29635988639828e1415ebfbbac5a1936bf02f42db9a8a70f50a8fdaf122cac9b8f661c0bade4cd1b5990f96b1be637f5ae69b74038528137045190

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76b8b83986df8cb8896e0d76fc31e831

SHA1
c54e9118d2917b7c01d913e7730411b7efa6cb42

SHA256
052a5b103a2ae460ebe037cd731cd55d62f83f1c843c7b906de6f52e0ce37a06

SHA512
a45ffa663fea4e5028cb81903ebaf2178f4791df5cb4eb6cd15f8b00b7aa193ef593532a356f0fe75ea2e6db9592af7601bb0b3847a162adfaa8d244cacad0ed

Download Submit
memory/700-56-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/700-58-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1216-141-0x0000000001380000-0x000000000148E000-memory.dmp

Filesize
1.1MB

Download
memory/2376-50-0x00000000010F0000-0x00000000011FE000-memory.dmp

Filesize
1.1MB

Download
memory/2408-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-14-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2408-8-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2408-17-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/2408-84-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-13-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/2408-12-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2408-10-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2408-9-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2408-15-0x0000000002080000-0x000000000208E000-memory.dmp

Filesize
56KB

Download
memory/2408-11-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2408-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000000B60000-0x0000000000C6E000-memory.dmp

Filesize
1.1MB

Download
memory/2408-7-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2408-5-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/2408-6-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/2408-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2408-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2408-16-0x00000000020A0000-0x00000000020AA000-memory.dmp

Filesize
40KB

Download
memory/2460-164-0x00000000013C0000-0x00000000014CE000-memory.dmp

Filesize
1.1MB

Download
memory/2892-232-0x0000000000B10000-0x0000000000C1E000-memory.dmp

Filesize
1.1MB

Download
memory/3024-220-0x00000000000A0000-0x00000000001AE000-memory.dmp

Filesize
1.1MB

Download