dcrat | 6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Size

1.8MB
MD5

e161f5c294ac3464de6f84a53a506700
SHA1

9c9b1f8f6c060e7e0ce67292e9ec249ec265aea7
SHA256

6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34
SHA512

e5ec70fea9bf4bc5e0e858eaea1f31259300193edfe48b963e2179d01bcbc1e50d6bccf25a35acd4b0fefaea1ba4ee6c429fa76ae02426c73d4fd69f0585268e
SSDEEP

49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:jKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2892	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1720-1-0x0000000001100000-0x00000000012CC000-memory.dmp	dcrat
behavioral1/files/0x0008000000016dc8-30.dat	dcrat
behavioral1/files/0x0007000000019605-87.dat	dcrat
behavioral1/files/0x00060000000195f7-123.dat	dcrat
behavioral1/files/0x0008000000004ed7-170.dat	dcrat
behavioral1/files/0x000c0000000195fd-194.dat	dcrat
behavioral1/files/0x00080000000196ed-200.dat	dcrat
behavioral1/memory/2292-294-0x0000000000FC0000-0x000000000118C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2972	powershell.exe
2184	powershell.exe
3020	powershell.exe
1048	powershell.exe
320	powershell.exe
2432	powershell.exe
3004	powershell.exe
2836	powershell.exe
2356	powershell.exe
1812	powershell.exe
1484	powershell.exe
3008	powershell.exe
2728	powershell.exe
2416	powershell.exe
1368	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2292	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\RCXFD15.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXFF1A.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXEB6A.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXEB6B.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\886983d96e3d3e	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\RCXFD14.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXFF19.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCXF62C.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Windows\Downloaded Program Files\audiodg.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Windows\it-IT\WmiPrvSE.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Windows\Downloaded Program Files\audiodg.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Windows\Downloaded Program Files\42af1c969fbb7b	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Windows\it-IT\WmiPrvSE.exe	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Windows\it-IT\RCX18C.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File created	C:\Windows\it-IT\24dbde2999530e	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXF62D.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
File opened for modification	C:\Windows\it-IT\RCX11E.tmp	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cce4ae8944db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000df006c7b811581d2103415bd0f212a3cba41ec089441003abb6b90ea8ee6b953000000000e80000000020000200000007cfe7cadb604aff88347d228bd31f3d197df1018d74ccfceef4b4e5383f56cab20000000bd5aaa7478fd5898f8f527cc54a31d10d7333799d53e9c0296fd7ff12a1d5a1b4000000026a87cc507d95296778857931f50afe08a6c5faed005083f4b61eb1701c231489cfd8c12daa9aaaf80b7f7907ed16b2de3295c72f86ea88c3dd19fc72c604296	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000017a0e69f07f8e9e54cc990934b0d08e9a1d3cb5c4abed617ed06994cd4f42b6e000000000e80000000020000200000000e948f8d79b5470dea626ef0745e7bfb03419c1a90abe8ca929547158a7ddcdf900000001d7f4bde5444b9e14b646b152ea54f8fd7537efa801b66374892c019200ab6b22c9e86a3732300456f4e2dc0211a1051f501b3951536fa5c8279e17e5fddfcf72583300ff7f3219d1684d0b0eabdcb316b19c76c7145e8e7b71252da45a299e6524570cb44fddcb75fafe33caf6377d6cf8ad1ba49b5565ee977e765f9588117e07982145818e42ccd90127547a5101e40000000427f38c190b0876b43f8cf36c463fcf093ae8cee834ac020e290e55b41f7c2e320e8aa66cf15a96746f544a6336ea5eeaf7715f59b099d9d9e076dcc1c359c1f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439285442"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D89F8931-B07C-11EF-8B93-E20EBDDD16B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
808	schtasks.exe
1252	schtasks.exe
2144	schtasks.exe
2440	schtasks.exe
1556	schtasks.exe
1608	schtasks.exe
2984	schtasks.exe
2092	schtasks.exe
2020	schtasks.exe
2640	schtasks.exe
2076	schtasks.exe
1048	schtasks.exe
3024	schtasks.exe
2044	schtasks.exe
2676	schtasks.exe
2356	schtasks.exe
1668	schtasks.exe
2828	schtasks.exe
2392	schtasks.exe
1604	schtasks.exe
2772	schtasks.exe
2664	schtasks.exe
2804	schtasks.exe
1092	schtasks.exe
236	schtasks.exe
1716	schtasks.exe
2656	schtasks.exe
2636	schtasks.exe
1280	schtasks.exe
1768	schtasks.exe
2796	schtasks.exe
868	schtasks.exe
1820	schtasks.exe
2836	schtasks.exe
1444	schtasks.exe
2136	schtasks.exe
2464	schtasks.exe
2528	schtasks.exe
3044	schtasks.exe
900	schtasks.exe
668	schtasks.exe
448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
2432	powershell.exe
2184	powershell.exe
2972	powershell.exe
320	powershell.exe
1048	powershell.exe
2836	powershell.exe
1812	powershell.exe
2356	powershell.exe
3020	powershell.exe
3004	powershell.exe
1484	powershell.exe
3008	powershell.exe
2728	powershell.exe
1368	powershell.exe
2416	powershell.exe
2292	csrss.exe
2292	csrss.exe
2292	csrss.exe
2292	csrss.exe
2292	csrss.exe
2292	csrss.exe
2292	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2292	csrss.exe
Token: SeBackupPrivilege	1688	vssvc.exe
Token: SeRestorePrivilege	1688	vssvc.exe
Token: SeAuditPrivilege	1688	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2152	iexplore.exe
2152	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2972	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	74
PID 1720 wrote to memory of 2972	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	74
PID 1720 wrote to memory of 2972	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	74
PID 1720 wrote to memory of 2836	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	75
PID 1720 wrote to memory of 2836	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	75
PID 1720 wrote to memory of 2836	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	75
PID 1720 wrote to memory of 3004	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	76
PID 1720 wrote to memory of 3004	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	76
PID 1720 wrote to memory of 3004	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	76
PID 1720 wrote to memory of 3008	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	79
PID 1720 wrote to memory of 3008	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	79
PID 1720 wrote to memory of 3008	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	79
PID 1720 wrote to memory of 2728	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	80
PID 1720 wrote to memory of 2728	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	80
PID 1720 wrote to memory of 2728	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	80
PID 1720 wrote to memory of 2416	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	82
PID 1720 wrote to memory of 2416	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	82
PID 1720 wrote to memory of 2416	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	82
PID 1720 wrote to memory of 1484	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	83
PID 1720 wrote to memory of 1484	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	83
PID 1720 wrote to memory of 1484	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	83
PID 1720 wrote to memory of 2432	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	84
PID 1720 wrote to memory of 2432	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	84
PID 1720 wrote to memory of 2432	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	84
PID 1720 wrote to memory of 2184	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	86
PID 1720 wrote to memory of 2184	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	86
PID 1720 wrote to memory of 2184	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	86
PID 1720 wrote to memory of 2356	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	87
PID 1720 wrote to memory of 2356	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	87
PID 1720 wrote to memory of 2356	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	87
PID 1720 wrote to memory of 3020	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	88
PID 1720 wrote to memory of 3020	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	88
PID 1720 wrote to memory of 3020	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	88
PID 1720 wrote to memory of 1368	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	90
PID 1720 wrote to memory of 1368	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	90
PID 1720 wrote to memory of 1368	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	90
PID 1720 wrote to memory of 1812	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	91
PID 1720 wrote to memory of 1812	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	91
PID 1720 wrote to memory of 1812	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	91
PID 1720 wrote to memory of 1048	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	92
PID 1720 wrote to memory of 1048	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	92
PID 1720 wrote to memory of 1048	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	92
PID 1720 wrote to memory of 320	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	94
PID 1720 wrote to memory of 320	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	94
PID 1720 wrote to memory of 320	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	94
PID 1720 wrote to memory of 1596	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	104
PID 1720 wrote to memory of 1596	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	104
PID 1720 wrote to memory of 1596	1720	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe	104
PID 1596 wrote to memory of 2916	1596	cmd.exe	106
PID 1596 wrote to memory of 2916	1596	cmd.exe	106
PID 1596 wrote to memory of 2916	1596	cmd.exe	106
PID 1596 wrote to memory of 2292	1596	cmd.exe	107
PID 1596 wrote to memory of 2292	1596	cmd.exe	107
PID 1596 wrote to memory of 2292	1596	cmd.exe	107
PID 2292 wrote to memory of 1768	2292	csrss.exe	108
PID 2292 wrote to memory of 1768	2292	csrss.exe	108
PID 2292 wrote to memory of 1768	2292	csrss.exe	108
PID 2292 wrote to memory of 2400	2292	csrss.exe	109
PID 2292 wrote to memory of 2400	2292	csrss.exe	109
PID 2292 wrote to memory of 2400	2292	csrss.exe	109
PID 2292 wrote to memory of 2152	2292	csrss.exe	114
PID 2292 wrote to memory of 2152	2292	csrss.exe	114
PID 2292 wrote to memory of 2152	2292	csrss.exe	114
PID 2152 wrote to memory of 3040	2152	iexplore.exe	115

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe
"C:\Users\Admin\AppData\Local\Temp\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtwHUJyt6A.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2916
- - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe
    "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2292
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3680872f-370a-41fa-94a7-96452ab8d7f1.vbs"
      4⤵
      PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\472f4bc2-e20d-4546-90d7-fc08b1a17866.vbs"
      4⤵
      PID:2400
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12824/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N6" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N6" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.8MB

MD5
ca10f763a3f10297a984b3a01a79f189

SHA1
9e74804d06ec367010bdac4bc6c9be0f03452dfc

SHA256
282e6bcf614452829ad84aa1d1be70c27c8325f57106a54a3a8b20378a0a9cbc

SHA512
3c9dbf21f046a29829a46f9e9dd5bc0c7d9131ee05b1b85ae1ee9475a1a8cd88a4789991216af65fa09978f24686c20fad8b2e16680de1fd6825810f4081db72

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe

Filesize
1.8MB

MD5
e161f5c294ac3464de6f84a53a506700

SHA1
9c9b1f8f6c060e7e0ce67292e9ec249ec265aea7

SHA256
6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34

SHA512
e5ec70fea9bf4bc5e0e858eaea1f31259300193edfe48b963e2179d01bcbc1e50d6bccf25a35acd4b0fefaea1ba4ee6c429fa76ae02426c73d4fd69f0585268e

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe

Filesize
1.8MB

MD5
4c7457a506bde25c6687d55998e2bfa1

SHA1
060f89a18848772cede13f396acbcfa530aa839c

SHA256
27a7de3f4093998735d1d78c60f298833a5922add2fc6566eac3f6297eeeb9aa

SHA512
f1b4159dd33c09fbcf27dc27f272573b647bcde805100a9debce2ea83f5b12d2d65ceb339b39504c1054002ef96d7358bef28aeeb576da6ae1da2ee1fe7cd09f

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\RCX845.tmp

Filesize
1.8MB

MD5
bb28261a006aff0dabdb0ecb47a0f7f8

SHA1
ef8a2a687cd9ae8cf247f14a23e5daded07caae4

SHA256
25f91d5e411d71dc0ee1ddb56727cb005ab3b705e6520933b62583922e55e311

SHA512
0577b6bcb48ddf4be7439ce4fccddce59c326eb0197a0b514058c039c6829e72bbdaf07f36588ec2a4a32fb817231a569b6b973417a09dbc5f87fcf49f67cb93

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe

Filesize
1.8MB

MD5
ebd94f1880b5f258b8e802f99376ea8f

SHA1
2003c9892ec97f2561f72cddd0e48f101ceb6b85

SHA256
4fbb704756764cd1c57b16440301f8bfb7ee5ceda799d8f360215ff3ad2ea52c

SHA512
4bb6e749b28299b0e40fdc8fe7716355d9ce0446b3fb0ec35196cacad5a52c25f6e66b221d89c45a7549b219025e99296e0cb2c7133603105cf14ff0ceaf8bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b21ca8c79823f5706ce2c0aa0306479

SHA1
1997de332804bb489a230f509fba83252ec1a816

SHA256
dff949ccde538cdc47c940f3038010ac0bbb1d62b30192f1ad62820e1a726fa4

SHA512
7ce41413a1c73f3f83edabb6cb5f5d7b41f6e34cf1f6b51c83deade9eb89e7847fb1e9deccd8be97496ae0dff578c80aabf17838a96e6de1d5eebe80c58f5622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
188e60400e076dde10a622ab38b6160f

SHA1
d4cb96bf5badf3c0cc66207ca361d857b0e6c793

SHA256
226e5884959a2e936264e033518d14c37b7004544fe4bd72b6bd75a9b2b56961

SHA512
5a780a5914f48c869e5718898ec2c6a1bc87fe0048d7abc27a112f0213558e92902417d21b25059ae222a2e4053ac5f01d54b6c7f496ad2d02af497afc401fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae857daac1e606c338bef01b1fb35a8

SHA1
14dd1a3a52aff6c8e4f15e87f5cf6c78b7214479

SHA256
242e671b8f958bee6ab724f8a9119ae8e29bbb0ddbea0df003b7f9f10a84cbce

SHA512
ca3b07ccc888e1bad3d14e4596c134ed0df30acfae6f5a53e07c32ecfde55f47b29d2480a8593164427c507d50c608651c9708634f85e6d22c649294efb6fd04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c123b3b3c567acc29db9bff959af1e18

SHA1
baed3a78d16e043d717887abbacd3e0c6c377ad3

SHA256
feb00ef1b76c552b53d936ef885375c227284074fc85aae231252aefa784e4ec

SHA512
ecf300576b1b09fc12a69d2a3e54fbd15b5be926710a25dab589760e63b85036c3909c63f744579636b2b503a6b1e67e0454744b5e0acf45b237cafbd69144ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6cb47053c58a92c6a56b78e86df44b6

SHA1
ec25e02a6633d4f938fdf6b2d46f12223c364a82

SHA256
56c4d735b19d07d8217939f8605589f7d9b88d84106447f3d3463388f223c4cc

SHA512
5eb41c77e382bc1713423d7f8c5b77f4552a791f2388a6f3c11b856250e4553d8e55e4bbde6ac188270d911029b0222796bb68c8ac6a0fdfe9d17752d9834813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dfad4b5f0e76cd48dbac7b040cc1d50

SHA1
9122448350f90d44d97b94c4d5e4046ba049d074

SHA256
1c8d97b5b4fd0a888f3e8440f561eb1e7084a7533c8900dddca52d9cd91e7ca6

SHA512
3feed6428be1c35c261924a50c5eced312e791e6e209e555ac17027155d5cfbae14a095dc2d70f74c76affa156f9472a72e6a609813680771bf8163dee2df44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52335838c06a526e3a69f53a33b638d8

SHA1
45448f304cf14bc9017271dcac21a70c9d6fd175

SHA256
0075c8e6f82cc7acdf260935fe33c94a26db35413e0ce3525b1573d3f82fd799

SHA512
7d41709d1401daf8ea6a7bb60d008d3ea086c7283a63d3dd0cf3a3fe43fdd970fb97bf6cf5f1341d21d9be437f39d511d5715e0d14f75644bd9fa8f11501226d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4994296f221d173457b8088b4d17a58

SHA1
6f075294d1574af2813f8b8f4f762d40fcdb961b

SHA256
ce4338f70b59e8ab0eabb9c32566f1eeb033013f363dcbbeab4a1b3cc5f7bf74

SHA512
d268109d64c839b8caad11d6c9df7d1bcbdbfec3b6eba1d33b97bc46432f54ee5b2b098914025a60c331dbfa5518f93261d35a8e254cfd99098c37c63eb9fe8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
404a66aeee8b004abb6c85d7367edcea

SHA1
0dc97c731162d406e8d39d45a42e66f192d1c9ad

SHA256
6c192fe42006f649203eeb02a97eb6b08c3c2b9581734e0e71bba5fb171d950e

SHA512
611c00e9854b95cc73c9db65427b406b38c21fdcb6ce9d84b31a9386b82f72ecc76a780844b49b6b05448e1fd0736050f932a9123ab65ab365f5cdf11d9d340f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f69d1918e7dc3162f350e2669408b55

SHA1
8a3c98f8b083cc901a490e08dcf4e5d1da03e3d8

SHA256
0c0e73ff39389db8f8333f695b1c8aa7c5b1943f4dd793ca95a5d24f83b559b7

SHA512
054edc434633887ea301318cce0c4c4aee3c3d908c9b3bdd83b3b6b35df9b08eec02a770cd44f65519e3fda8283997f013f7714a997b2777872031a8fd7748a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e9388d1c2cdcf9bcb528a2cc504ddf1

SHA1
5ae753462e320d88f45b68af437465cf08c4c852

SHA256
750d4a51f9a5d03079f8b4bcccb9bf22e2ce30fd4241be6247cc303a5179fc9f

SHA512
0841e2a0cc4450c324e6455c74ebc8e2713a0d06896e1452c7ea651de73c2278af9ba66d4e6456aa27940dc291eba6b91527cfd56a1dc8e942876f0f3bbb850e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e544e76f6eb4f431463398e42dcbca48

SHA1
cf3a5ba0166389a56c0bdfa158a211fc3cc98a54

SHA256
a2a6dd4deeb95bed6459842a1a6af0dc9b88cd24703c3d27b3133d2669dd5284

SHA512
12e7ec537aaa75550f39530cbb8f3d1be051b14cd1056bc16c4117d87dd69b269d56a3302da0f0e246454553786363038c5237f3b6d91f7b99829c9a6b93c805

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
784317793f6bd979c9dca76e7ee2629f

SHA1
5b1551421c02ca8aa4695c809d7e9a8abd0dca48

SHA256
cf03533e716e39b345148f303bfa0c902b0ced9aa79001ca11042c082d2e1889

SHA512
b790f787a60e8d60270c76316f93244fab9d4f8759d89ddecbb1a4bf5dc166c653dd44fa3ba114dbf2a285f61635f9895fd087d9881a6baf7fbb438e3c2fbe5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed441f942244f548ea3d061f74fc9db

SHA1
cc68a25fa500581710d853b95336f34451a60535

SHA256
8f9aa4b2ce512bc2b58c7be8d2ae40eb21a07482bb246fc396bc04d872f925ce

SHA512
2da91f023776571aced21be9e48cfb2ae5fff49b587b29f41fe5df29c1267a94288f271ac66e2d53e439f9f523cee3b30f27cbc66c84db44a82f72c4215e63ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abf6b0011b1f6a75e5f5577b0bf00afa

SHA1
0bb357e825fd94722bae00208a72b2ef5d8063ba

SHA256
0d6928b10750d91da5c99d4d0e2684c211a6f16c52d657866bd84f317e4bcb40

SHA512
02e218f22894cb27c6efb61097f16bf74e527f51ccf89bbd6e5590008e1cd7f6c1561b627dec3ef98ec055f4bd7a894091ab84e34b191616ed06a7502d276e41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
890e91182b6ed51b50eca104fc193e70

SHA1
d4b47f1f5d31180461f5b7183bc0c02118fd65eb

SHA256
46224c4efb92dc5d2ada434326d0c39e368ad5013c981afe51d523d5e619be16

SHA512
1f53624be6e20dbd57a0cc0db66c043dee8fd92339c282421c8de9905e87e43fbd021532fd0263125581cabb64886fb5d70cfebcc854e315c81c9fc1d897890f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcb6099964c13e535c0eab1f8be8af0d

SHA1
56eaeec12162ffd434f96849aa447426396c53cf

SHA256
1320a9b044b0a9247ec654eddc1e778a16e788bac8b3d1f189f86f9c535a1920

SHA512
a363a3471b3d2a2233985f98ec808e61e3ac97e275bf8570abaeb5017418129650bb742f3a2ec6de3392039309b13c36fa98ec238b96fde7fa15f32cd8f5a4c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4290cc4105e8c1397f63643c4c7dee24

SHA1
d151f4cf86c43a7175d02d4ec0f09ebd0b243adc

SHA256
a4ee1432a42feeb6f857bad3582d321e2bbc58f1b0382c4858efbff0ac8a7477

SHA512
b8ff2975fa8ab72b8faae3d71a1f71ddda2399763bb866c4559f5331a10dee8f796f8b7b42feedfb0189e62b2e712ad21210158012bf46ac00dd01060b239168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8709b80c00804d9f91a20fe937779f9

SHA1
3d257b9586d945a6d12abd56110f918fc821f1ad

SHA256
85a911d26e46f567e7dade8c2734c450c804a59bc01acb066c80eb294c10378f

SHA512
441acbe4a5f4d1ee026d98546f501cba85180b09ef3cc3303a67ff6390de37cee47be4a7562fa051b00011c282578663f5923171121eac0eb405066182c7f68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3680872f-370a-41fa-94a7-96452ab8d7f1.vbs

Filesize
734B

MD5
6c06eb7896228531089586d5ae8fa943

SHA1
b3d0454f60bb0c91bac7b4957f628fddf0aa55da

SHA256
de70e434493b8f425492e743141c4a2ee3335248727921cd3d01c872cc6bc25b

SHA512
57f3c3854a6b2b3012d2323afbcee8496177249ef8f16177e5f6825a965853f6e1296eb579a570e5ffdd7fddef161697d86622cd93d543aefea8386a02503e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\472f4bc2-e20d-4546-90d7-fc08b1a17866.vbs

Filesize
510B

MD5
9db8690608f282aaf8cb1f3393c04241

SHA1
58345929c8f4c5efdee134d9e742b50c3b25f428

SHA256
7a3136e8fc76bafc29ba74a08f0a7670e52ec5ee409f8fd659cddc1426d7a788

SHA512
e1bccc2e801bc0a27225aadbbce174d722ec79ff56b4c8bb6784885d456e95d9aaa9d6c9cc8eae6299ffae7d05ffba1be5ae35d1fd3ea55ecfcdb3b61686d3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab81CF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar827F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtwHUJyt6A.bat

Filesize
223B

MD5
5addc95e1b1455fdab273258034181c8

SHA1
f601892be75c55b06f5b6d9f8221ba65725632a9

SHA256
58e2171ad30bd558a2e6aea242ba3a935793c3f43cb518c3ee970836d9ee5880

SHA512
baff1ec31cc03669fd51fb2305b823d362d089e5cb37ed82cf32c0b6be49ba8212714971793f5302f5598305395b49388fbf7975276b77a864aaecc823ee02d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3b306038e78ccdc964907e784ad041e4

SHA1
6cd8ffc6d6efa57afc7f0fbf939712de613fdf29

SHA256
66734a271278084a3809fe004b7be9d650616bf77c2d15e6a9a2a38b62b4e200

SHA512
20c69d3f7683f23fd82221813930bbafa59ff68edc9313581f6f68a9776f215b668d7160b60ff5f00b724900a69afdf0a4dc2ec323d84c1aca209a3db2d4a5a3

Download Submit
C:\Windows\it-IT\WmiPrvSE.exe

Filesize
1.8MB

MD5
f7ee1211b13fc0180c5cbf5d5b92eee1

SHA1
39096209c77239d776915a4d8401a6f560a3f7f4

SHA256
a571de7150fa2b972c2cc68991ebd62d027a2ce1f59d2b5a3f06c466f0c33bcf

SHA512
12f1bbb3ba6d4e700e74f731d5c4e3b9913646ce897c578752bc09a4d2d78c1483c08e4f073360d022e4a153f16a7cbf1f3a743afa6afadfe6550f3de3ec5f18

Download Submit
memory/1720-7-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/1720-11-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/1720-208-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1720-10-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/1720-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1720-5-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/1720-6-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/1720-185-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1720-8-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/1720-4-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1720-3-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/1720-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000001100000-0x00000000012CC000-memory.dmp

Filesize
1.8MB

Download
memory/1720-239-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1720-19-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/1720-21-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1720-20-0x00000000010D0000-0x00000000010DC000-memory.dmp

Filesize
48KB

Download
memory/1720-18-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/1720-9-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/1720-17-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

Filesize
56KB

Download
memory/1720-16-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download
memory/1720-15-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/1720-14-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1720-13-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/1720-12-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2292-294-0x0000000000FC0000-0x000000000118C000-memory.dmp

Filesize
1.8MB

Download
memory/2432-231-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2432-233-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download