dcrat | d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Size

1.0MB
MD5

aea3d4caf079e299eea0b385a4dbbedd
SHA1

74b93127a847e2e2f2af6baa6b4ad6431c02ac63
SHA256

d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5
SHA512

8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9
SSDEEP

12288:sP2N7DeTXX5qeIeLsdxv/xedn6IwyMbfhC6hQs3uUbG6ddD7HFPMmXgAff+75LMF:sP28z7IeYxvJeKHdZH3OacV3d9CE4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2004	schtasks.exe
		2648	schtasks.exe
		2560	schtasks.exe
		1708	schtasks.exe
		760	schtasks.exe
		1660	schtasks.exe
		2996	schtasks.exe
		2136	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\6203df4a6bafc7		d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
		1044	schtasks.exe
		1864	schtasks.exe
		1008	schtasks.exe
		2712	schtasks.exe
		2620	schtasks.exe
		3056	schtasks.exe
		2984	schtasks.exe
		952	schtasks.exe
		2744	schtasks.exe
		2892	schtasks.exe
		2768	schtasks.exe
		2764	schtasks.exe
		408	schtasks.exe
		664	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
		1156	schtasks.exe
		1988	schtasks.exe
		748	schtasks.exe
		2000	schtasks.exe
		2660	schtasks.exe
		2664	schtasks.exe
		568	schtasks.exe
		1520	schtasks.exe
		1996	schtasks.exe
		2700	schtasks.exe
		2292	schtasks.exe
		764	schtasks.exe
		2776	schtasks.exe
		848	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Web\\Wallpaper\\Windows\\dllhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Web\\Wallpaper\\Windows\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Cursors\\wininit.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\wininit.exe\", \"C:\\Windows\\Web\\Wallpaper\\Windows\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Windows\\it-IT\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2108	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2192-1-0x0000000000C50000-0x0000000000D5E000-memory.dmp	dcrat
behavioral1/files/0x000500000001945c-26.dat	dcrat
behavioral1/memory/1920-48-0x0000000000250000-0x000000000035E000-memory.dmp	dcrat
behavioral1/memory/1716-121-0x0000000001190000-0x000000000129E000-memory.dmp	dcrat
behavioral1/memory/1852-133-0x0000000000300000-0x000000000040E000-memory.dmp	dcrat
behavioral1/memory/2672-145-0x00000000008B0000-0x00000000009BE000-memory.dmp	dcrat
behavioral1/memory/2068-157-0x00000000011A0000-0x00000000012AE000-memory.dmp	dcrat
behavioral1/memory/2752-168-0x00000000003C0000-0x00000000004CE000-memory.dmp	dcrat
behavioral1/memory/1936-180-0x0000000000310000-0x000000000041E000-memory.dmp	dcrat
behavioral1/memory/1756-192-0x00000000002D0000-0x00000000003DE000-memory.dmp	dcrat
behavioral1/memory/2836-204-0x0000000000B80000-0x0000000000C8E000-memory.dmp	dcrat
behavioral1/memory/1364-216-0x0000000000110000-0x000000000021E000-memory.dmp	dcrat
behavioral1/memory/2036-228-0x0000000000890000-0x000000000099E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
940	powershell.exe
2416	powershell.exe
908	powershell.exe
1552	powershell.exe
1300	powershell.exe
1428	powershell.exe
1560	powershell.exe
1776	powershell.exe
1512	powershell.exe
1736	powershell.exe
2248	powershell.exe
2912	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1920	System.exe
1716	System.exe
1852	System.exe
2672	System.exe
2068	System.exe
2752	System.exe
1936	System.exe
1756	System.exe
2836	System.exe
1364	System.exe
2036	System.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5 = "\"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Web\\Wallpaper\\Windows\\dllhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\it-IT\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\it-IT\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Web\\Wallpaper\\Windows\\dllhost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5 = "\"C:\\MSOCache\\All Users\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\lsass.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Cursors\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\System.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\WmiPrvSE.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Cursors\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\6203df4a6bafc7	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\7-Zip\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\7-Zip\56085415360792	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\it-IT\56085415360792	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\Cursors\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\Cursors\56085415360792	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\Web\Wallpaper\Windows\dllhost.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\Web\Wallpaper\Windows\5940a34987c991	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe
1520	schtasks.exe
2776	schtasks.exe
2996	schtasks.exe
664	schtasks.exe
2892	schtasks.exe
2712	schtasks.exe
3056	schtasks.exe
2984	schtasks.exe
568	schtasks.exe
1864	schtasks.exe
2000	schtasks.exe
2664	schtasks.exe
2660	schtasks.exe
764	schtasks.exe
2136	schtasks.exe
408	schtasks.exe
2004	schtasks.exe
2648	schtasks.exe
848	schtasks.exe
952	schtasks.exe
1156	schtasks.exe
1988	schtasks.exe
1660	schtasks.exe
2764	schtasks.exe
1044	schtasks.exe
2744	schtasks.exe
2620	schtasks.exe
1708	schtasks.exe
748	schtasks.exe
2768	schtasks.exe
2560	schtasks.exe
1008	schtasks.exe
2292	schtasks.exe
1996	schtasks.exe
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2416	powershell.exe
1776	powershell.exe
2248	powershell.exe
1428	powershell.exe
940	powershell.exe
1300	powershell.exe
1736	powershell.exe
908	powershell.exe
2912	powershell.exe
1552	powershell.exe
1560	powershell.exe
1512	powershell.exe
1920	System.exe
1716	System.exe
1852	System.exe
2672	System.exe
2068	System.exe
2752	System.exe
1936	System.exe
1756	System.exe
2836	System.exe
1364	System.exe
2036	System.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1920	System.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1716	System.exe
Token: SeDebugPrivilege	1852	System.exe
Token: SeDebugPrivilege	2672	System.exe
Token: SeDebugPrivilege	2068	System.exe
Token: SeDebugPrivilege	2752	System.exe
Token: SeDebugPrivilege	1936	System.exe
Token: SeDebugPrivilege	1756	System.exe
Token: SeDebugPrivilege	2836	System.exe
Token: SeDebugPrivilege	1364	System.exe
Token: SeDebugPrivilege	2036	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2416	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	68
PID 2192 wrote to memory of 2416	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	68
PID 2192 wrote to memory of 2416	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	68
PID 2192 wrote to memory of 1736	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	69
PID 2192 wrote to memory of 1736	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	69
PID 2192 wrote to memory of 1736	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	69
PID 2192 wrote to memory of 2248	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	70
PID 2192 wrote to memory of 2248	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	70
PID 2192 wrote to memory of 2248	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	70
PID 2192 wrote to memory of 908	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	73
PID 2192 wrote to memory of 908	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	73
PID 2192 wrote to memory of 908	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	73
PID 2192 wrote to memory of 1512	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	75
PID 2192 wrote to memory of 1512	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	75
PID 2192 wrote to memory of 1512	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	75
PID 2192 wrote to memory of 940	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	77
PID 2192 wrote to memory of 940	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	77
PID 2192 wrote to memory of 940	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	77
PID 2192 wrote to memory of 1776	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	78
PID 2192 wrote to memory of 1776	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	78
PID 2192 wrote to memory of 1776	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	78
PID 2192 wrote to memory of 1560	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	79
PID 2192 wrote to memory of 1560	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	79
PID 2192 wrote to memory of 1560	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	79
PID 2192 wrote to memory of 2912	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	80
PID 2192 wrote to memory of 2912	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	80
PID 2192 wrote to memory of 2912	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	80
PID 2192 wrote to memory of 1428	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	81
PID 2192 wrote to memory of 1428	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	81
PID 2192 wrote to memory of 1428	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	81
PID 2192 wrote to memory of 1300	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	82
PID 2192 wrote to memory of 1300	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	82
PID 2192 wrote to memory of 1300	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	82
PID 2192 wrote to memory of 1552	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	83
PID 2192 wrote to memory of 1552	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	83
PID 2192 wrote to memory of 1552	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	83
PID 2192 wrote to memory of 1920	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	92
PID 2192 wrote to memory of 1920	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	92
PID 2192 wrote to memory of 1920	2192	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	92
PID 1920 wrote to memory of 2376	1920	System.exe	93
PID 1920 wrote to memory of 2376	1920	System.exe	93
PID 1920 wrote to memory of 2376	1920	System.exe	93
PID 1920 wrote to memory of 2956	1920	System.exe	94
PID 1920 wrote to memory of 2956	1920	System.exe	94
PID 1920 wrote to memory of 2956	1920	System.exe	94
PID 2376 wrote to memory of 1716	2376	WScript.exe	95
PID 2376 wrote to memory of 1716	2376	WScript.exe	95
PID 2376 wrote to memory of 1716	2376	WScript.exe	95
PID 1716 wrote to memory of 2676	1716	System.exe	96
PID 1716 wrote to memory of 2676	1716	System.exe	96
PID 1716 wrote to memory of 2676	1716	System.exe	96
PID 1716 wrote to memory of 748	1716	System.exe	97
PID 1716 wrote to memory of 748	1716	System.exe	97
PID 1716 wrote to memory of 748	1716	System.exe	97
PID 2676 wrote to memory of 1852	2676	WScript.exe	98
PID 2676 wrote to memory of 1852	2676	WScript.exe	98
PID 2676 wrote to memory of 1852	2676	WScript.exe	98
PID 1852 wrote to memory of 2016	1852	System.exe	99
PID 1852 wrote to memory of 2016	1852	System.exe	99
PID 1852 wrote to memory of 2016	1852	System.exe	99
PID 1852 wrote to memory of 2580	1852	System.exe	100
PID 1852 wrote to memory of 2580	1852	System.exe	100
PID 1852 wrote to memory of 2580	1852	System.exe	100
PID 2016 wrote to memory of 2672	2016	WScript.exe	101

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
"C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cda4055b-5dc5-48ff-900a-e67f2ccc4085.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
      "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1716
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5ccf535-6df5-4082-b150-75146ec345bf.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89d106e8-2e72-47f4-a6bf-862dee264a80.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cff39793-79ac-4a14-8aea-41c112cb5f2b.vbs"
        9⤵
        
        PID:2276
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b40d55b-4e86-4e08-9eae-4bb986f7494b.vbs"
        11⤵
        
        PID:3028
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7b859ae-adf3-4f82-ad6d-30ac82473213.vbs"
        13⤵
        
        PID:348
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cea1b4fe-2022-47ae-a5ca-30ac669a317d.vbs"
        15⤵
        
        PID:2816
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9d95965-fbdf-4734-91c3-d9f6e3b7fa42.vbs"
        17⤵
        
        PID:2156
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eb3dfe9-b359-45e3-ab65-68b820198d0e.vbs"
        19⤵
        
        PID:1076
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64051594-c36d-467e-a3a2-2ea8861e4bdd.vbs"
        21⤵
        
        PID:664
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e12a7d80-627f-4ce3-acc6-ed005614c914.vbs"
        23⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a3580d6-dea4-4a3a-99dd-4f79d6a5bacb.vbs"
        23⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd6445ba-333a-406f-8e42-5567bf708c22.vbs"
        21⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1d4d1e1-8017-433a-8183-c2e2c2cf090a.vbs"
        19⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2a4bfd-784a-4305-8614-eb199fa803b3.vbs"
        17⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ecaaee-526d-46af-8211-bdcff42350b0.vbs"
        15⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a10b14aa-2124-4728-b74f-1514826035d6.vbs"
        13⤵
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97961807-0c4f-4a11-a72e-9a699129da72.vbs"
        11⤵
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f38c32c-6f45-48bc-9b5e-ea4dbcd2fef9.vbs"
        9⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce6ecc2-de2e-42fc-bce9-89a298c7fffe.vbs"
        7⤵
        
        PID:2580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a641d57f-87a0-47d3-b69b-d8cb9f9e09fb.vbs"
        5⤵
        
        PID:748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09d0e52f-c5d7-4835-ba43-2f9da70e9910.vbs"
    3⤵
    PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Cursors\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5" /sc ONLOGON /tr "'C:\MSOCache\All Users\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Windows\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Windows\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\Windows\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe

Filesize
1.0MB

MD5
aea3d4caf079e299eea0b385a4dbbedd

SHA1
74b93127a847e2e2f2af6baa6b4ad6431c02ac63

SHA256
d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5

SHA512
8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\09d0e52f-c5d7-4835-ba43-2f9da70e9910.vbs

Filesize
525B

MD5
de77c2b6335b57ae9bc26eaea90ac0fe

SHA1
e44d3a9aebe629deca4ba827be25ef7eaef1fc6a

SHA256
abbb3617d0b21f352df5fe6d7160da39f5642e9a4c5628a24e67b01f0d6807c2

SHA512
3bf41c3be5f949c410b757fe5a7d24b8c704e302a1b606f6cc524f07e4426d7389a17837bc1f9a2b0db0f1b8921bcbeaa065a9c21d249353b926c600ae0ef749

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb3dfe9-b359-45e3-ab65-68b820198d0e.vbs

Filesize
749B

MD5
c8ae93da1915ba957f29c1fc5f7b8406

SHA1
1136ee938aa047012aec22b88a959a525295dd15

SHA256
10e714c5ff37ca13ef4dcd919b312f8d9b1daa768eb21c0279f029e30bb1c538

SHA512
1f1e87971d5c476130aa2f270582ccac3bb4fff0b6e5a992bb7e3595f5577c2dd65a001d241ccb0d8117501918aea826569294458266fd3b5bd70ac482d6823d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b40d55b-4e86-4e08-9eae-4bb986f7494b.vbs

Filesize
749B

MD5
e7fa6708954c38212bf3db9b29745470

SHA1
1c3f5f65909307c715a1553a816486d0d5b8173e

SHA256
65f22bd266b6210f387ecf9156c017d3e2e4176c84000b3fe896656b3c63af74

SHA512
b74e220de0dadb804085207d6f108bf3106104f5eb80586fd89db57785735a7131466187c54c1e9306cca9707702abad85bb896ba694962fc1dcda9363bb6063

Download Submit
C:\Users\Admin\AppData\Local\Temp\64051594-c36d-467e-a3a2-2ea8861e4bdd.vbs

Filesize
749B

MD5
1138fe8c6c599e704f0b9a8d1fab71fa

SHA1
6843d0f01c0b8b570ab3e835e26a84b1edb84e07

SHA256
f82a9c947fb1154c1584f3457407d21057967e326ecf8b123b9a9cf7fb6434d4

SHA512
00a0582037a40e3e9231ad6f4b7c459d2b624c4b7bcb36deb11ec37e7aef03d93227ebd30bba4e726517ae10b6bde7fdc52ea3604b51c2a2e98b9f609e2dc665

Download Submit
C:\Users\Admin\AppData\Local\Temp\89d106e8-2e72-47f4-a6bf-862dee264a80.vbs

Filesize
749B

MD5
909f011612077bcf5a3acfe7ef3f8b8c

SHA1
39ef1d50612337ccab3fafe2df17d958d08cf40f

SHA256
4314fff2b125478ae3c0fcf2f350f07c9e4c40773bb74363f75ae43bf70e2bf5

SHA512
9f915a6630c7e3b6ca643a357a4f7e5d44326822d1ec11a15d6a1a3e4029854289f09ddd953178321885f1903cc0a937577228eaf75dbf19402e0782c24ffd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5ccf535-6df5-4082-b150-75146ec345bf.vbs

Filesize
749B

MD5
ad7c49239f646544f76a82f1648deab0

SHA1
099370509e724d788aaa2e9dea95f59bce1f5540

SHA256
5a83d59486fddc140360c76f709812c40034095ec2842e0ad75106dfb2676510

SHA512
71ef8d356047a3a8b09b6352af31fbf73cb0c9fc44add8908fddcaeeef733533aab71620c5d2db59d4dc1a09f27b992eb046650f39bc9ea7d7ef41d317120674

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7b859ae-adf3-4f82-ad6d-30ac82473213.vbs

Filesize
749B

MD5
ff93e6f8d914757b8b86eadab8ec055b

SHA1
b0430dc77c3fa7d28898861193a78a285b7d29ed

SHA256
ab6b712e786bd8cca07ac26a08fefa0ce5802ee3c73b6d68c7edb4611904d677

SHA512
2922ec87561714ca7d23150dc57bbd40bcbdd321aa9eb6485a7a3459c5bdf953c3f2a834a70fd6be45ae2e9a8d6f745adac8e5fea8f5a2e7ca566995533633a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9d95965-fbdf-4734-91c3-d9f6e3b7fa42.vbs

Filesize
749B

MD5
a7ee40d6ac433bf73356b5809b4690c4

SHA1
bb541d3dd6820fbbc5f3ed665cf39c0bd14c76a4

SHA256
f986f5239d77f736012cdad4bd0660f63c7230e06ec537adb4ab5ed6756761d1

SHA512
07ea176a4facc0d43115df19430e57d2175b48f893805d036829a6b29fdf9b126457124bb4e78db37580f37c108a2420c28cb53139eaf2881f4e68eb9ef98955

Download Submit
C:\Users\Admin\AppData\Local\Temp\cda4055b-5dc5-48ff-900a-e67f2ccc4085.vbs

Filesize
749B

MD5
bad50f566559192e633d1a7f13827a27

SHA1
bfb5b8b2fe629615caf0c2a8e10af53862d816aa

SHA256
25070954163f23ecb22fb56fe565c856c0704a4a51d23d690385399fe258157c

SHA512
eb5c9f5350834fc2ff84e15eb62f66d3f2ec69ac23ac09d38366f534ff74bd71eec73adc333b3abf6589be22f1ff0841832f1b3558169e7058855aadeb5591cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cea1b4fe-2022-47ae-a5ca-30ac669a317d.vbs

Filesize
749B

MD5
028edcba4f7971fb891a188d05d681e5

SHA1
bf80c3cd4534f5d893564276032bedd1b0ac2e74

SHA256
c11b7b1e9ad91fcbdf988a8b879d8ad973d84a141c11070e5af7bf54e060be10

SHA512
38523565bced27f44acbdf85ff672e265bfb44186e33819410daf420dea2883881eb9ad46dfb96be8970f157f9ed93851981ea38dc0f270bd1ea493068ec3115

Download Submit
C:\Users\Admin\AppData\Local\Temp\cff39793-79ac-4a14-8aea-41c112cb5f2b.vbs

Filesize
749B

MD5
90d83e90dda3375a52cba8cee4431c8f

SHA1
39534fba7fd75cce68ec4f46920de3e90f0d97e1

SHA256
20e45ff58618f783296f70d9813bda54260ccb4076e07035307fcb9076ab5036

SHA512
5c914471fb5515b804b44d28606397b92a4f8b07cb7b11a0b046874d1ce3bb70d88d8f18d5e20a0b26905f0a2d658da4a18579cb05025146a7efaa7515e577e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e12a7d80-627f-4ce3-acc6-ed005614c914.vbs

Filesize
749B

MD5
423be2e0605def42fd16658fc8d1f03d

SHA1
0a178b03eb323a146e021cc78285fac2e0e1c455

SHA256
014568b1cd1654fc89393b6f1277673e0c71c9304524599413e460cf54ada331

SHA512
7d59c8e4cbf66306f3193eb254151254e5f5a52f707887f19e499734c6307aae61a859af4252b27e477c59cacac4cb440d4d9eaa710c7b02a79d83ffd56fd403

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
288b2cba47bea7cd3367f7ced00b2c86

SHA1
f6adfeead9c79c8f641a49ff9fbe0e926b814a46

SHA256
2960e7b077685eff9351ee3b4848ace337eb730ce1febcb79ef9bd9ebbbb3521

SHA512
fc878e32793bab83f2149583ce067c1d0eed42e2ecaba83808cc2dab414f510274bcf68ffbd7c03623a01a73ab5c43f42a72460a0af0876834a52cb6302117b9

Download Submit
memory/1364-216-0x0000000000110000-0x000000000021E000-memory.dmp

Filesize
1.1MB

Download
memory/1716-121-0x0000000001190000-0x000000000129E000-memory.dmp

Filesize
1.1MB

Download
memory/1756-192-0x00000000002D0000-0x00000000003DE000-memory.dmp

Filesize
1.1MB

Download
memory/1852-133-0x0000000000300000-0x000000000040E000-memory.dmp

Filesize
1.1MB

Download
memory/1920-48-0x0000000000250000-0x000000000035E000-memory.dmp

Filesize
1.1MB

Download
memory/1936-180-0x0000000000310000-0x000000000041E000-memory.dmp

Filesize
1.1MB

Download
memory/2036-228-0x0000000000890000-0x000000000099E000-memory.dmp

Filesize
1.1MB

Download
memory/2068-157-0x00000000011A0000-0x00000000012AE000-memory.dmp

Filesize
1.1MB

Download
memory/2192-12-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2192-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x0000000000C50000-0x0000000000D5E000-memory.dmp

Filesize
1.1MB

Download
memory/2192-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2192-16-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2192-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2192-11-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2192-13-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/2192-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2192-14-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2192-15-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/2192-110-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2192-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2192-10-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2192-8-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2192-9-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2192-7-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2192-6-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2192-5-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/2416-64-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2416-65-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2672-145-0x00000000008B0000-0x00000000009BE000-memory.dmp

Filesize
1.1MB

Download
memory/2752-168-0x00000000003C0000-0x00000000004CE000-memory.dmp

Filesize
1.1MB

Download
memory/2836-204-0x0000000000B80000-0x0000000000C8E000-memory.dmp

Filesize
1.1MB

Download