dcrat | 01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Size

1.8MB
MD5

f3d2bbf94502d252041c35316a3437be
SHA1

337394ddba850c7e6c937087f93d1fa2dfcad0a2
SHA256

01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83
SHA512

e56b5f191ade12a301d249e17c3d933fcf11e18a591734b503ee8d106480d2bed92af277aded9c1e4b09b6665fdd1c3bf8069329949a24645b8bc229a8caca3e
SSDEEP

49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh5:jKKZ1sRD2Q3N5MT4rO

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat 62 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2464	schtasks.exe
		952	schtasks.exe
		1676	schtasks.exe
		1128	schtasks.exe
		1752	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
		2844	schtasks.exe
		2476	schtasks.exe
		744	schtasks.exe
		2768	schtasks.exe
		2748	schtasks.exe
		1044	schtasks.exe
		2800	schtasks.exe
		2752	schtasks.exe
		1684	schtasks.exe
		2928	schtasks.exe
		2840	schtasks.exe
		1248	schtasks.exe
		1916	schtasks.exe
		2400	schtasks.exe
		2236	schtasks.exe
		2952	schtasks.exe
		3012	schtasks.exe
		2064	schtasks.exe
		1800	schtasks.exe
		1416	schtasks.exe
		2148	schtasks.exe
		1628	schtasks.exe
		888	schtasks.exe
		2888	schtasks.exe
		2960	schtasks.exe
		2676	schtasks.exe
		600	schtasks.exe
		2268	schtasks.exe
		2864	schtasks.exe
		2220	schtasks.exe
		1872	schtasks.exe
		2768	schtasks.exe
		296	schtasks.exe
		1796	schtasks.exe
		1584	schtasks.exe
		2408	schtasks.exe
		2852	schtasks.exe
		1880	schtasks.exe
		1672	schtasks.exe
		2520	schtasks.exe
		792	schtasks.exe
		2484	schtasks.exe
		2748	schtasks.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\b75386f1303e64		01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
		1764	schtasks.exe
		2320	schtasks.exe
		1664	schtasks.exe
		2348	schtasks.exe
		2712	schtasks.exe
		2888	schtasks.exe
		2832	schtasks.exe
		1004	schtasks.exe
		1948	schtasks.exe
		2300	schtasks.exe
		2444	schtasks.exe
		2640	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2176	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2592-1-0x00000000013D0000-0x000000000159C000-memory.dmp	dcrat
behavioral1/files/0x00060000000194e7-32.dat	dcrat
behavioral1/files/0x0008000000016d4e-63.dat	dcrat
behavioral1/files/0x0008000000016d29-73.dat	dcrat
behavioral1/memory/2868-258-0x0000000000940000-0x0000000000B0C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe
1924	powershell.exe
1044	powershell.exe
1236	powershell.exe
1808	powershell.exe
2720	powershell.exe
1600	powershell.exe
820	powershell.exe
968	powershell.exe
1764	powershell.exe
1248	powershell.exe
1056	powershell.exe
1728	powershell.exe
688	powershell.exe
304	powershell.exe
2932	powershell.exe
2940	powershell.exe
1400	powershell.exe
2600	powershell.exe
544	powershell.exe
1968	powershell.exe
2100	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2868	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCEBA.tmp	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\cc11b995f2a76d	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files\7-Zip\Idle.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\24dbde2999530e	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files\7-Zip\Idle.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WmiPrvSE.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WmiPrvSE.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files\Microsoft Office\System.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\b75386f1303e64	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCF28.tmp	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files\7-Zip\6ccacd8608530f	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\f3b6ecef712a24	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files\Microsoft Office\System.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Program Files\Microsoft Office\27d1bcfc3c54e0	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\wininit.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Windows\PLA\Reports\OSPPSVC.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Windows\Installer\dllhost.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Windows\PLA\Reports\1610b97d3ab4a7	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Windows\Downloaded Program Files\56085415360792	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Windows\Installer\dllhost.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Windows\Installer\5940a34987c991	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File opened for modification	C:\Windows\Downloaded Program Files\wininit.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
File created	C:\Windows\PLA\Reports\OSPPSVC.exe	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0fd23ef9944db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439292415"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15D1F7B1-B08D-11EF-8A1D-72B582744574} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c3092dcdadaa8944bbc4641d2fe91e1800000000020000000000106600000001000020000000e6b6a978a26ebcf91d1a3457113b8d7152891cc10461054d8bad590c6a2aaf27000000000e8000000002000020000000bece98cf912ff1609e3de770bcf6dc45c0006d553361846b97d49bf20d7e0483900000003f3dbe114abec5e7c3f1a3e61174f34795d05c4925662d6c651579ee75c7bfa38d545a9aef7b18776cb985e53a8cd18155f09c370f448965bb345f9b28a72b8f963fc832bef163b8e4455bbf64b74e0109e70666a1036dbd8614d3a6a1c88949f9fd0a4b6cb66d810db12205f7a5e2fbc28256b4d3b9830f3e9a45b0c8f381a321c4d7c3b58fae06f4bd933db023b64840000000ae60f372717ec8b8b8646c578e20941072ef3d60254709e62603b6fa870edfc509c5784cfd6b05064aaf4ac2b96f9b0506419453249d9f8b373257e4f6ee466b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c3092dcdadaa8944bbc4641d2fe91e1800000000020000000000106600000001000020000000ac54b2633a922748c2382e23dc5a9d802742135c134c9b6bdf87326d56bebf55000000000e80000000020000200000009b9c871926fc4b13f57e7afce52946f5718845a1320995e84f43c3d27ed4d08920000000d6258611666ad19706ecd85a33d6619a43fb6351df27c5de0b3ad93d66413e6c4000000057264d84685f9b43486d6d84378a477abe0510981b2a7aac453048dfcbba55a075b4b7a361834608a46569da05cd37ba078c1c77edf43ec3027123184cf8f2ea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2300	schtasks.exe
2064	schtasks.exe
1916	schtasks.exe
1672	schtasks.exe
2400	schtasks.exe
2752	schtasks.exe
2520	schtasks.exe
2768	schtasks.exe
2888	schtasks.exe
2888	schtasks.exe
2800	schtasks.exe
2960	schtasks.exe
1128	schtasks.exe
2408	schtasks.exe
2844	schtasks.exe
1584	schtasks.exe
2864	schtasks.exe
2640	schtasks.exe
2676	schtasks.exe
296	schtasks.exe
600	schtasks.exe
2852	schtasks.exe
2268	schtasks.exe
1628	schtasks.exe
2768	schtasks.exe
2748	schtasks.exe
1800	schtasks.exe
2840	schtasks.exe
2952	schtasks.exe
1880	schtasks.exe
1676	schtasks.exe
2748	schtasks.exe
2236	schtasks.exe
1664	schtasks.exe
952	schtasks.exe
744	schtasks.exe
2320	schtasks.exe
1872	schtasks.exe
1248	schtasks.exe
2444	schtasks.exe
1752	schtasks.exe
888	schtasks.exe
1044	schtasks.exe
1796	schtasks.exe
2928	schtasks.exe
1764	schtasks.exe
792	schtasks.exe
2712	schtasks.exe
2484	schtasks.exe
2220	schtasks.exe
2832	schtasks.exe
1004	schtasks.exe
2348	schtasks.exe
1948	schtasks.exe
3012	schtasks.exe
2476	schtasks.exe
2148	schtasks.exe
1416	schtasks.exe
2464	schtasks.exe
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
1924	powershell.exe
2920	powershell.exe
2720	powershell.exe
2932	powershell.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Token: SeDebugPrivilege	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2868	Idle.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1828	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1828	iexplore.exe
1828	iexplore.exe
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2920	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	40
PID 2592 wrote to memory of 2920	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	40
PID 2592 wrote to memory of 2920	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	40
PID 2592 wrote to memory of 2720	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	41
PID 2592 wrote to memory of 2720	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	41
PID 2592 wrote to memory of 2720	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	41
PID 2592 wrote to memory of 2932	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	42
PID 2592 wrote to memory of 2932	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	42
PID 2592 wrote to memory of 2932	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	42
PID 2592 wrote to memory of 1924	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	44
PID 2592 wrote to memory of 1924	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	44
PID 2592 wrote to memory of 1924	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	44
PID 2592 wrote to memory of 2924	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	48
PID 2592 wrote to memory of 2924	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	48
PID 2592 wrote to memory of 2924	2592	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	48
PID 2924 wrote to memory of 1600	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	101
PID 2924 wrote to memory of 1600	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	101
PID 2924 wrote to memory of 1600	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	101
PID 2924 wrote to memory of 1728	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	102
PID 2924 wrote to memory of 1728	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	102
PID 2924 wrote to memory of 1728	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	102
PID 2924 wrote to memory of 2940	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	103
PID 2924 wrote to memory of 2940	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	103
PID 2924 wrote to memory of 2940	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	103
PID 2924 wrote to memory of 1044	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	106
PID 2924 wrote to memory of 1044	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	106
PID 2924 wrote to memory of 1044	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	106
PID 2924 wrote to memory of 688	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	108
PID 2924 wrote to memory of 688	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	108
PID 2924 wrote to memory of 688	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	108
PID 2924 wrote to memory of 820	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	109
PID 2924 wrote to memory of 820	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	109
PID 2924 wrote to memory of 820	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	109
PID 2924 wrote to memory of 1400	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	111
PID 2924 wrote to memory of 1400	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	111
PID 2924 wrote to memory of 1400	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	111
PID 2924 wrote to memory of 968	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	113
PID 2924 wrote to memory of 968	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	113
PID 2924 wrote to memory of 968	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	113
PID 2924 wrote to memory of 1808	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	114
PID 2924 wrote to memory of 1808	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	114
PID 2924 wrote to memory of 1808	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	114
PID 2924 wrote to memory of 304	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	115
PID 2924 wrote to memory of 304	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	115
PID 2924 wrote to memory of 304	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	115
PID 2924 wrote to memory of 1056	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	116
PID 2924 wrote to memory of 1056	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	116
PID 2924 wrote to memory of 1056	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	116
PID 2924 wrote to memory of 2100	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	117
PID 2924 wrote to memory of 2100	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	117
PID 2924 wrote to memory of 2100	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	117
PID 2924 wrote to memory of 1236	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	118
PID 2924 wrote to memory of 1236	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	118
PID 2924 wrote to memory of 1236	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	118
PID 2924 wrote to memory of 1248	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	119
PID 2924 wrote to memory of 1248	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	119
PID 2924 wrote to memory of 1248	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	119
PID 2924 wrote to memory of 1968	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	120
PID 2924 wrote to memory of 1968	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	120
PID 2924 wrote to memory of 1968	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	120
PID 2924 wrote to memory of 2600	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	121
PID 2924 wrote to memory of 2600	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	121
PID 2924 wrote to memory of 2600	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	121
PID 2924 wrote to memory of 1764	2924	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe	122

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
"C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe
  "C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\OSPPSVC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UsYtfOrGZt.bat"
    3⤵
    PID:2820
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1752
  - - C:\Program Files\7-Zip\Idle.exe
      "C:\Program Files\7-Zip\Idle.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2868
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6197e94f-6872-44f3-916f-7aed300d9c38.vbs"
        5⤵
        
        PID:2952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1390f4dd-a354-472f-b67a-113e4c26c276.vbs"
        5⤵
        
        PID:2088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:13289/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1828
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Reports\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Libraries\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Installer\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe

Filesize
1.8MB

MD5
aa4a67c6054632b561f932886a0841b5

SHA1
73b46bf3f4e659bbf7f2629614bf4af8cce31631

SHA256
ef1947034309b4fb84c53f7aec620a7bee806e1b9f8d524ecdd9f4a17e4f1bd0

SHA512
3b7875ecb760ad033f32286e6716cce71f6d31a18a4675f0e0b614e9845c7f533738e28b965b68219cd1a5656297f4832995c82cb52a3adadc409a72c129a8f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2216f3fa88a88e406e4e4b743b7dc22d

SHA1
bdcdaa1f49f54d9c46684419bde374ce22083e1f

SHA256
b929a41352ef9cef7927c5d1dd9b4f390237e4b4a4fffb8b8dd592b7b2f459c8

SHA512
b9d7c5461c2acbf840f90c3b1d4a721b08aa2a2324d0173c0586f87c192a5de8a43d9b7ad7c0077f96310fdc3b23e097c508cb2d1af560849c7798b6771ce2e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a62738e98a7eca4311171987f61ae535

SHA1
abb5df9141cf7ebc56ce325eded65de5a03cb235

SHA256
d5d4ab259906f92ce08e4874fca8d5889827fa4e6980946abed44e96b0d06464

SHA512
97f997a29f5b47a391075bbe780f8f6ec64f374dca6135ee1c8f1a75a1077a2cf9dee55c6e2f6613c60fb76208f8c5dfa65af10e3a024a697193b38076be3c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aee543ddb3194bb1ea309ca9230e7d29

SHA1
fa2975329967282103d00aad033193eb435a547c

SHA256
9e9f44cf4b978daeb8ddfd4e1277f3bab7e945b1707a3fc516640b00a6a2d4dd

SHA512
2a804469fe34084a5c07d64d6841d7c7a99cc9d378a648fc80047a99092b4efaec815065bf35c295c347dce2633cd6a47bbe006eda40501b80a24e840d1cd2f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da32a9e03e3c74eae6f4690d7ee7963e

SHA1
b6fd27c6b0a3316f68d502ff39adcbab08b0453c

SHA256
24404fdf7279183a645f7bb2174ec7000862bc81499c46ca3fba2580f7e92e56

SHA512
d70cdb9124b128a39109d3d2b53c11170e4d79bedeabe48b25606456f666d62d601e6240efca37ce3f20319d51714cf052dec03192d917a3103111abc8084846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d27395479af512d1ba0303ad421e29f

SHA1
aceabb57a27af2b4c2fd530ffe2484cf40efbcec

SHA256
661aa31c9c22ed3e0eacef21bee999fdff6d86887e23e78fb0f98c235d946c8f

SHA512
d639b19caaa0665cc92c3dc75f46bddfd3578d51ae2b44c5563b1fb992ed1005c1a1550449b337c1197011364ff886de1a7a22d6c3780bfc3072fdb7411abcab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2664b49458c1818058a65cca9088dacd

SHA1
7ddd361fb948a683489e8bfef9725b3c1e6cddad

SHA256
b06861bb45ca85caf1eb9505ecff05db7ca16a3751eedc21723d66bed8f59ab8

SHA512
15683718fbb061e083073eef3f52c98f0418824aea099b011cf83895bcdee227e4ffd592f1ba07961de1f724dcebe972333ef7812dd475b1afe05109b35e2898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75781490e198338d37b6cc409a42a90b

SHA1
fbe06e5959d509477f1ed2f205082424849730ad

SHA256
ca246f3ec3f1c069c292106d56a3c11f08052d28dc35d54c8495c3ff2b39fb55

SHA512
087a1a90b25079281da9d6204d9e85a68d1fc1dc298f188be76b8b3ba4ca51bdf850ffd1f244317dd7503538cba054b19f495042588c6bcbae9232aa76ff7205

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09c68cf5f8abfac74ab9f53dd38acccb

SHA1
f851dcf38f5148ae5262f0d3f3c8bb67942c446c

SHA256
e0d07d3519d82d3cbafb8405c9b98a5329b7115f7e6c962ae0217acb6f4c9fae

SHA512
13d36467d94fe58b48a078cb3ebe319ca052ae2e314383ae4147cfd9c96d55b87f9121b8624432edbadd84a4f84a671a1ee629bc4a370e24e252aaedc49ecb0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9aa6dfc1fd0ea1c6248e7343c43fa94c

SHA1
1f243d763814413dd9262d650679d0f01dd8ad4b

SHA256
f986bf24685957c34f03cb7cd434d9036f4dc464a724f0972b46b5be7d02d789

SHA512
9fef4dfd0028c22b3effd21d31ece1e8b9e0ea1e0fb97225639b5314d841f3f93113fcec72b521b7064d81d1078f308e899baa50ac427b7a8205aaf15d036d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afb7d35866c38ae902749a3a64a7d7f2

SHA1
105f603dd70b2ccdb98e9af7e768b5e16164abfc

SHA256
b7ada76771f79f6641f1dc7a618edc92f9a6f49b9e58d6aedf778cf99ca48782

SHA512
84f08d388d72d758605d01b0b6262481337352ae6cf4ad9f2c51422b7b46d1daa88b458fadd08df52099a59c942ea7cfeb23a7b50a9d134c835b4146f68f6c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a6d58322df428eb3c0eb33a1c347882

SHA1
8d5aff631749384ab44afdee3cb1a6ec58aa6817

SHA256
5fe7d3279c51c71d38ada48924e8a5d4630a480e3948faead801f94bbe7ad7f1

SHA512
cdac153bcb524d2c0d326d2764dd0f4b84eeec802db7b4446cc0c3e6e3c7f5e832fd27cd1e1cb44c06f951eb3bf75f14854b6d4b95904eda3d019293780f5144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaeea74201aebca67884fa447741a9aa

SHA1
d22a77cdbfdac04a8fc39876e5d27d62c3254b00

SHA256
8e0a0b74cd8525e3bea52ec4e9bb00168d240015878c4dc3a5e0b636aa9a9a70

SHA512
341b668fdb3cd93f75792ff3fbd1b17f85251dc85548a8c815182c927a402300d8fb1f955390c8b009a26cbb39db4b11f0f2fd2b5a518e433bb9d1e2448a1365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b8ca4688309f52520f889add74d1d59

SHA1
d9cfd68f0be5be7c0a0b5583f4f778e1d36c8869

SHA256
f636afad1283651bec41586ed0602d58609057054721f271f476699456cd6fe2

SHA512
9321dc4a0a51811ec9ad003d138362b16ee082c4f922d7607387612986da1d3b84d48c0f853219dde8c8303f638d15473d67cf4b6e846d5fc417ace6a737b66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b0ad42169a79de7c41274711d989386

SHA1
4f9e25be37b002bbdecbc99c63b08a0a2ac06eff

SHA256
87ee260228106c8b364671257ae1d13644f4495322678245a31b683f00c7fc86

SHA512
a4e5e18757dccfb8e816dea0296e9067f02df02b0986ec8943207f14dd8291d31329dccc890027654d6ce996dd5a2073dd5d362cd08b4f17e14d6f5408d9c8f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5235a164e931704af4810dbea4b4a958

SHA1
633d9e9fb563094da7cd80adabc9b68d4c91cb4a

SHA256
8bd7997a3073f873537114e230e004145d7453727ced325488c44a836265c1d5

SHA512
f1891f86a825cf766ff3480e4eb0db6a97263d4ec5dcd1de1521f584ee17683e58036040f51ec7f4881426dca6947dc9f5836eb3465cd906c88d69bdf024acca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab0cbe9019b95e09d8fae0ee47647657

SHA1
23810b05f13de364ae921805af9d5aa52124dcba

SHA256
49e866ffa0e7201873ee26b05e170582a4d2923f412ad3880cc3e23134334b8b

SHA512
ab7e6872ae7fd2e61b654a894efff4bf4eda60deb7d573e3c90abe5e471b76711a4a7257fd14163ea1f186515c45e0944a11ef84628aa4a696e0e6e5ab24cb14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
327dbd72a32c2557054043eff9e64dbe

SHA1
e24524a2b692397745b04d50efd73cea662afa91

SHA256
cf631accf604ba5ad738fe7d8b32cd2c5755a9e3a762b333696ff0ef1eda6219

SHA512
001b76c2f8e2391daa01948a410d75af4c2be09a36f0f48980870c5007f8b52eea3c13da97aeb1283383da0ba4ef0a5dc30190899adf0d4e37eebb3254c6a9e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac680c3c7b3dcb504b5f006e3752738d

SHA1
e93eeaab8999697ec2fb68a366a29922f4e40089

SHA256
d53ab528b7174095c8172e455cb24a2919fd589d85c1e719fc7e76007ab4b096

SHA512
73053c192c749dac6ba586cfdee9e694e129db75a6fceea40fb137c922f90aba5b2e328f73201bbc94280012c4ef61111fd756233cc9a4e4c7eabf9d1d8d50c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83.exe

Filesize
1.8MB

MD5
f3d2bbf94502d252041c35316a3437be

SHA1
337394ddba850c7e6c937087f93d1fa2dfcad0a2

SHA256
01c233bc78897b0621cc5b0c0aa8275f25209dcf8dd84abe775a6b996da7ee83

SHA512
e56b5f191ade12a301d249e17c3d933fcf11e18a591734b503ee8d106480d2bed92af277aded9c1e4b09b6665fdd1c3bf8069329949a24645b8bc229a8caca3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1390f4dd-a354-472f-b67a-113e4c26c276.vbs

Filesize
483B

MD5
3a580e89883b4b357c10e1d468f24f63

SHA1
67397c76c677afcc3b3e36a8dc2968d50e19a6fa

SHA256
9c9ad29dfdeefc0a720bc813359947f8b885b498b9e9ae06054447d946b8a382

SHA512
d3948dccc8a807807e093b4b2a3a33610c9322a596c640ada859341dfe944c732989f19fc3e7940e15d4b277f79b4e9c682fdfd907a7724bc6eccf8a2b9494b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6197e94f-6872-44f3-916f-7aed300d9c38.vbs

Filesize
707B

MD5
6cca9eac4312b486aa08e367046de32f

SHA1
418b6208d48d41d9955d8ab56d8a982fe42e09a8

SHA256
ca94f66b23af572d0600d1f66b939c1a49a74413058e21980c94a810c042edb0

SHA512
bcda7e91e6ce77ad0bdc74cfbd10421cc5272ca18f74fac402f9f849957b706105ef6e30f03b1d87cf2fe58d3a13fb4a23f98a74fa48fc00db4d463c950274e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9041.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC7D2.tmp

Filesize
1.8MB

MD5
e161f5c294ac3464de6f84a53a506700

SHA1
9c9b1f8f6c060e7e0ce67292e9ec249ec265aea7

SHA256
6aaabd8de9a999763538f5a5a623dcef9f15d8e714309a16f236c23921f2cf34

SHA512
e5ec70fea9bf4bc5e0e858eaea1f31259300193edfe48b963e2179d01bcbc1e50d6bccf25a35acd4b0fefaea1ba4ee6c429fa76ae02426c73d4fd69f0585268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar90B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYtfOrGZt.bat

Filesize
196B

MD5
d5505f732ce25d2c51511d03de2cddb6

SHA1
796672c8588237ca15fa344dcb7cf643aae3be96

SHA256
2c7728b91ef25784c5153d12baa021b0e3e02aeda77b75f0cb37b2fdfcfffb4d

SHA512
8431ec49db4f1675ef1fcbbe173013cea86a32b2e68f8e5cc9eee0dfaf3014c469562d802150c74bc5e3e63b6303711f7f09d822662121ccedb8f7e355383e13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3c98c4a2161dd5da20cb1e03514909e

SHA1
290e85795ba5e2023fe441230a21b14dc41b2ecc

SHA256
35bd5bf5028378de9c91270b9b4d03c63fdd07bef670f65d58081e4a85bcf47b

SHA512
74d3635959b402e2bf89025e7001ef5bc2d6a3a847f826d210fa05fec7452c9dec0411834fa5ec8530848a464b87edb2f4e30bae5a0568e5b7e67c8dfc5035b3

Download Submit
memory/1600-173-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1600-168-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1924-88-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2592-13-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/2592-20-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/2592-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2592-72-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-12-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2592-21-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-16-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/2592-11-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2592-18-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/2592-19-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2592-14-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2592-15-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2592-1-0x00000000013D0000-0x000000000159C000-memory.dmp

Filesize
1.8MB

Download
memory/2592-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-17-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/2592-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2592-9-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2592-8-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2592-7-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2592-6-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2592-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2592-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2592-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2868-258-0x0000000000940000-0x0000000000B0C000-memory.dmp

Filesize
1.8MB

Download
memory/2920-89-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download