dcrat | 4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Size

1.8MB
MD5

472159211357c43b60e083a07fec35d6
SHA1

b62f28c445da343e5f05b063b15ffa44cbce671b
SHA256

4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27
SHA512

84acc61cb6e229bac8bad89c53c7f02473acfecdef5a73fe307982b8a1bbded500a3a545b199a9e64101b973bf5fe0ecdf02f83f05b09bab2be4f503d972e4bf
SSDEEP

49152:XWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfhV:pKKZ1sRD2Q3N5MT4rQ

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2828	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2396-1-0x0000000000B30000-0x0000000000CFC000-memory.dmp	dcrat
behavioral1/files/0x00060000000194f6-30.dat	dcrat
behavioral1/files/0x0005000000019c66-45.dat	dcrat
behavioral1/files/0x000a00000001961b-68.dat	dcrat
behavioral1/memory/1868-123-0x00000000010B0000-0x000000000127C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe
2304	powershell.exe
2168	powershell.exe
3068	powershell.exe
1508	powershell.exe
2980	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1868	smss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXA660.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Windows Journal\RCXACDC.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Windows Journal\services.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files\Windows Journal\services.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXA5F2.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Windows Journal\RCXACDB.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\6203df4a6bafc7	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files\Windows Journal\c5b4cb5e9653cc	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Idle.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\Fonts\Idle.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\Fonts\6ccacd8608530f	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Fonts\RCXAA69.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Fonts\RCXAAD7.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000024fbc72662842d429af2759ade7c1155000000000200000000001066000000010000200000002c7d44a655726b7e2c9f0f16854d38caaaa61013a85f5aa849605cf896dac647000000000e8000000002000020000000ba51b8cc6a903cc9cc57d4ce846a3253b1a19e2062fb43c3ce024066dc9ab6d19000000005ef5f32fd4314623ed7ac42e872504f4855f87dfb328dd9a1c3fc9602f5f27214ed42e39f409888c58895b96331b300b334709a996436402c72171d11dfc951bf6335997fe4fb09211fb5b8b2f3c39206ef60d265306c4663f7292fbfb722831ec0baefd1382cecb8184eefba0679af6e610712621f6c431db83187b418030c953bceb5b749cb593914c08cc48fc5c5400000004c3218d319b0a0cc5769acdc6ecc8c48b1c82e17c23a6593576982f88d58d3967443a6efe2d58f9fc01f3e65ba9dfe8f46773e229eaeb2512c23be7d0107dbf8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ca76a84347db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000024fbc72662842d429af2759ade7c11550000000002000000000010660000000100002000000087c034784b3a4a8194ce83d9e45b6ef0975ee174eb5c76209a434e3955833a87000000000e8000000002000020000000ea685b48e1cfabd40a984f1d437ccef8a8a5108a3787d58a37b0f4eb6f4168362000000081f5bd7276920d039c1260cece48d27d36c62ab029a0e4953505d3318823b1b540000000f3baeeeea2c56ec24d0ba1233ff0688003c49bf7dd04d8a92a24befa05c23304ab3e817dbb9c2d00b7f256932c9fd37b50407ea60c0fc79d858af61b1fbe35e2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439585214"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CFD74421-B336-11EF-9C44-E61828AB23DD} = "0"	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
2592	schtasks.exe
1244	schtasks.exe
2752	schtasks.exe
2916	schtasks.exe
2660	schtasks.exe
2300	schtasks.exe
564	schtasks.exe
2252	schtasks.exe
2436	schtasks.exe
2844	schtasks.exe
2876	schtasks.exe
2636	schtasks.exe
1652	schtasks.exe
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
2328	powershell.exe
1508	powershell.exe
2980	powershell.exe
3068	powershell.exe
2168	powershell.exe
2304	powershell.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe
1868	smss.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1868	smss.exe
Token: SeBackupPrivilege	2956	vssvc.exe
Token: SeRestorePrivilege	2956	vssvc.exe
Token: SeAuditPrivilege	2956	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2388	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2388	iexplore.exe
2388	iexplore.exe
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2980	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	46
PID 2396 wrote to memory of 2980	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	46
PID 2396 wrote to memory of 2980	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	46
PID 2396 wrote to memory of 2328	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	47
PID 2396 wrote to memory of 2328	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	47
PID 2396 wrote to memory of 2328	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	47
PID 2396 wrote to memory of 2304	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	48
PID 2396 wrote to memory of 2304	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	48
PID 2396 wrote to memory of 2304	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	48
PID 2396 wrote to memory of 2168	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	49
PID 2396 wrote to memory of 2168	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	49
PID 2396 wrote to memory of 2168	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	49
PID 2396 wrote to memory of 3068	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	50
PID 2396 wrote to memory of 3068	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	50
PID 2396 wrote to memory of 3068	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	50
PID 2396 wrote to memory of 1508	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	51
PID 2396 wrote to memory of 1508	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	51
PID 2396 wrote to memory of 1508	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	51
PID 2396 wrote to memory of 1868	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	58
PID 2396 wrote to memory of 1868	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	58
PID 2396 wrote to memory of 1868	2396	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	58
PID 1868 wrote to memory of 2288	1868	smss.exe	59
PID 1868 wrote to memory of 2288	1868	smss.exe	59
PID 1868 wrote to memory of 2288	1868	smss.exe	59
PID 1868 wrote to memory of 2800	1868	smss.exe	60
PID 1868 wrote to memory of 2800	1868	smss.exe	60
PID 1868 wrote to memory of 2800	1868	smss.exe	60
PID 1868 wrote to memory of 2388	1868	smss.exe	66
PID 1868 wrote to memory of 2388	1868	smss.exe	66
PID 1868 wrote to memory of 2388	1868	smss.exe	66
PID 2388 wrote to memory of 1268	2388	iexplore.exe	67
PID 2388 wrote to memory of 1268	2388	iexplore.exe	67
PID 2388 wrote to memory of 1268	2388	iexplore.exe	67
PID 2388 wrote to memory of 1268	2388	iexplore.exe	67

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
"C:\Users\Admin\AppData\Local\Temp\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c23262ab-9662-4753-8c46-5f6db943d532.vbs"
    3⤵
    PID:2288
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3bf1b4d-3970-49c0-a3a0-b1cf015c7cf7.vbs"
    3⤵
    PID:2800
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12261/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.8MB

MD5
472159211357c43b60e083a07fec35d6

SHA1
b62f28c445da343e5f05b063b15ffa44cbce671b

SHA256
4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27

SHA512
84acc61cb6e229bac8bad89c53c7f02473acfecdef5a73fe307982b8a1bbded500a3a545b199a9e64101b973bf5fe0ecdf02f83f05b09bab2be4f503d972e4bf

Download Submit
C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe

Filesize
1.8MB

MD5
a1082a8a73f7ddfbd6ef132ec8689bc8

SHA1
df624926d7edc8d6b6d0ab1f6804abf5e9500cc4

SHA256
8d237f4e80dda3dcd31cc30aa18d386731a12c993eb4f6577c4c6f75e8576938

SHA512
1afdfeaadd212e609fce3d453214daefffac3f898c8eac837b4798d4202d10b4d4a95e1087e492f52fd995e06f4bb083e268ce044def28e193816a29de43e8bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10d988cc4643622621b1a62f4a91ba8f

SHA1
b1a145921e272703cd8670f09adda0809badc115

SHA256
3caf60825ba42363d7f3f520670e370c1c725142ec4f22fd9773ac7cbd052711

SHA512
b8cdb385c7c11ac46ccbc012e6848c56db266c9172e099e834183be9b8a5bcbe029861f6a3c16933ca377d066d2026162303c929c847eb6d28a696c425279678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8947388b6de00447c2d34dd68ab0c60a

SHA1
9ca5bc609083e737c4f82325118389347c321b6a

SHA256
b3b01f878328d43ba5448e8f1e8b62853a5972a0c9002a38ac5641822f8ff670

SHA512
bb0996b2ea001a4bf0c3594a797b1cba6c86086429376fc99411e775a2a7c9dd097bab76af1b865169aa80b47642c76cdd6603d6996e055b68bf681dfd9f261d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8055db085ca617e4db9f751643c363b9

SHA1
408cafb221b47acf3e6c1634adc9a93c0c8f2715

SHA256
d91963044fc5eb40ecc10423e938c137327ca25d77e99f36488ec88dbadef6b7

SHA512
c6617e0630322db02c61ac3e25d0732d02420271fd0235d05d4f742e392d84082c927a331ac8d9b1cdc7bf44101810bfe2b82d257fdb30bda1a3665757b1770d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d656b1e6f210ee0c5f93cfeb3cee39bc

SHA1
b66bd7b4872ec94d0ddf49afced49ec38b466869

SHA256
439dfa6aefea115334ad66b56ba728c573da30680c65ffee470d8ff883e24e06

SHA512
7a05d13dd76d086d7ebcc8f6518dc536e05a0c728b49e91d8be3a0ced17146248ed5b7011c479b6baea6af35fb52d77e20162e2028b3fb1906ea9facd66e5bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19a8763523249f7e33b60d39c0f97363

SHA1
db1eb3fb39def866c02135e919c4095b86444ca2

SHA256
b794f4fd33026357c0151e0cfa08ed9b2f97487bc652f97c0c1f5eda27f37012

SHA512
e5f5f1522c371e050e421c83de057ab4f151110527b5fcc265cad52423f8de342c6f581c59f50aac21b6e04ccb8bbc17755253177b389fbb3c77bdb8ad5f467d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6437c78107a6aebf291c05cb7e86705c

SHA1
fb62b6b07baee27e8ccfb2b641dbd51504772bca

SHA256
7f2dcce749dd4f17c5789044cb54928fc55b76e636e5ab5daee1cde5bd76fe2e

SHA512
3e245e61dd6e76768dc9a0f3f868171707f6050d3eca9a28fad48bd7aed904312efc5dc43d4126b067ed3d4114d42973996921de2525c83da64232bf8f397d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6a6899403b120e9da49403ca9040de6

SHA1
47862dbc43db72fd54249c1faf4156e3719e81e2

SHA256
8559ac21bc48586692385597f5321e45ca828144f2f3d5a77a50f2d3d1899a8e

SHA512
5c84d8f47bb115ce29f1b4fa64fb6917e52047dd3d6fc76cb7eab2bb7b1f7667ccc85c397b4df21cc5c2a55c2a8382cf85877d035f669a87eb968aa27d6412fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d631f3c54c418f064e5b802d3c14054

SHA1
f02038e698bce87d642f374586e3a242e2581da3

SHA256
e2a2fc4fb83f7f6d60d2d39ab88ce232cffcb074c5b3c361c5baafa5c3affc23

SHA512
b6fbb8c945fe3aa29d0d7d3bb04d9e60586d4954c41df0110ade86ca96329a4ccae8f6f69914c7a76627dfdbaac610cc2ebaf78faf3bcf53fe02c392c453a593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca6af6b3043f2128ddc52380bff6094d

SHA1
a2012093e4460d2d30cecc2a3f7e991618a137f0

SHA256
e162082b69ece4db716ac45f117c7f3c629acf2b92e0009e1d527b71255de5e5

SHA512
d8f7ee9ab4e2d1a8c8384e21448b367bc08e6d7bfbbb7e474c5b1840fd1c859623c9a30374f357a63517766e6f3f246c0cdfa387be8d372f47c5a907705ad83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b03a21a1c8fa734e18b62d091ea90e67

SHA1
54261ce350de03919484a6ae9ec0fbb5d0f7bddd

SHA256
fadb6357c9ecbb7c9d4b3c747d3ac08cece3b387fefc6e555fdbdcb37c6fa21e

SHA512
9f8c0137ccfc557df27b2e492f03c3b47593efe2414d49558fe3be5c47e8a17b7240e68bebb263cfbdcb9f085c3485517c834aaabde61d36283869400c67308b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2be104c4e0f4881bcee4cf101d386e3

SHA1
59932bcbc87d739ab490d6fad3b88b745c936291

SHA256
7a475a8e092b48a45aacffaafefb728ecfc41184200e5aa2475c3d0cbe58198b

SHA512
61c6e39010fc3c4b83c91a564d7b50fb36ad55a42812cd93fee28a87900e3ef7a00442338131047e0f8528f6db3b8930defb7b274c028d51aaecd49dafa5eae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f76491ce044c0657a1b63b7070037c

SHA1
203466398d0b7abd62609e8d24a60d7f1e15bd0e

SHA256
b01029191eb21abcd4c33584672080a970b94f2cf46e7c2f9a017f37e2ce5d45

SHA512
b9d56de1022c7b11837021a14daeda0d082b73b169d800a03322044a51b41a3abc3151ebe4668c3b0c17ef6464706c6baacdace9c1aa160dd1d5c05a1f710bf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0230cbb0681cb32ef2004e9dd27a8a1a

SHA1
707805a950af71718a3120d12d095f81cfbba838

SHA256
03b5da0a06f8a3cb758bdd12cdb0086c4cdddaf5287a3065045f7adc89c131ae

SHA512
48e1583cc2426888d7a6380111eceeee51b5098d8acb22737bf58a5e32a077c1679a06b6a571b97263f376868646ae75564bfa0ac2fa0473c86f31fddc3201d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc26b6405086792b3b0445a692db4bf0

SHA1
016a7762892cc15adb5ac91aebc59369e4750b21

SHA256
72be727e70aa5e3a594a36c1d4d224474e4e57a8661c4ba7eb299c544e903a70

SHA512
5552fb63314329651c4465567b0a88f2102448eafb5a7c217826dfd86e939cce311946a6fde074996c14125cafadf2d0f435069df83ca3af2ffe26b0b957851e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c25f301b0349935e4c5913ec534c6b1d

SHA1
e1226d62d8e5c0469b1fa5c4474b0a0cc5002cd3

SHA256
176c02b3dcb6a2f213ea1602a40dcf469aa829fb1925070b27c6f07dac1538a8

SHA512
8f2f934e0111588cd4f5777ae88dfacde704eb6eae2142fc46c6a63759e7b4d8a8b26945cf702885f88aca319b738e7c7c49ce2ff5f474dcdfa688de3b9b231f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c5f2c5062cb50f258abdd767e0917db

SHA1
e28da20ea2caadfcc817a48a2682506f78ffcd83

SHA256
1244d271f3efaecdfcc74b2991ad64bde135ad1a167721cc1c64a8f8c1926828

SHA512
7175a8fcaf48ab34d233db45805a0ece2752c15ed170a1cb97f469a688f454297d1bdccb1d0109f5234df3071975d6a996cf3204cfadab72a74fcee477a24f82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb48de828fe712b6357f2102b78e212f

SHA1
1d9e353c4d3c1bea792cfb3a876806fb62900c78

SHA256
401473919dc883c705748666a5bfc83f4fc48df1f550eb97361b6f29fc580b2f

SHA512
95ee232af9ae6dfa03c87c98f49f88bab072d65fcbf759c74bd8ecd5349bed458d1466ace0c0624bfe4e114a270d8084b9aafbd10da4a57f00f777a191c33661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e29ed2e1cb57302c9f8b7c8e60d84d3

SHA1
212c9fe1b38754ab5425fb21a0f60c48b90f4a31

SHA256
de1c331094f8b8fa5d529e23aef94b3138269febc45bd7f074c597f666571a27

SHA512
0e1b7b69428a65974539dcb55179d6044c034d6ada7bb4fb36df7c48b5bdb9cd9f91491ca745e7c039ab14f2ea919f8c7aacacf78ef5748516af67f5c94d44cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b4dc4ccb554bacda53312f58c7b6519

SHA1
b8456854ead81f38d883631a16c074f4efdaae1b

SHA256
8208f0ff85a3f39c855fa6148c1c4284aee56726d325e06e52e8d02a8912d915

SHA512
9b9747041642c5e99779fe6ed82aef89ce5154f2db8883c273e958b5c276e3c7a97d2c19284ca6a850eacafe9c6b02c19cf9b6c13142c337fe13c6af4c71a2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20AB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar216D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c23262ab-9662-4753-8c46-5f6db943d532.vbs

Filesize
733B

MD5
d9996cb81ea0039e3fc136d388d70a57

SHA1
b2307211f1da88af0a489d839aa12458cc0d9aee

SHA256
284dcde6529b0f5ff81329eb8676092adb6639db1c1919cbbdc3678300a7e0dd

SHA512
fc62718a34f052898ed9b36d0b37fda937243ac19465345b80f371af374d5b07e2983219abeaf6bb8096b070ffe3b92d3e34e2152ca30c413549aaa95a40582b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3bf1b4d-3970-49c0-a3a0-b1cf015c7cf7.vbs

Filesize
509B

MD5
b4895e7cfc289360a84fc19cd0c52039

SHA1
ecdc8b697942002ebf72f8395f767dee379add48

SHA256
ad870342ba5590f50bc4fda2d32d57c47d18da1f3a7030f23f8290f1a12c2db9

SHA512
237bfd2d1e66f848d4aade0166ab36c8da2eed9b6816caac1e38632106e3582bc1acf9f7b29b13907c82074bd1bff701381e87258407f09dd3edcc2f4c5ff119

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a74305ad379fe08efe1e10a072f4b0b6

SHA1
3dbb9a4221ce96ea7421b6404ef66e646aa3f66f

SHA256
5e674cac936212e1a6b7a1924946693be882998740ace9d8559094c295cc46e0

SHA512
cb5569e2e1174386f9d2ade3f5184f38a49ede25f264031d032110289e5794c4cf969fc0d871a675babd59b119a7bb7da52cc95b5c8f7b6b0efa4f070d66226f

Download Submit
C:\Windows\Fonts\Idle.exe

Filesize
1.8MB

MD5
e972ac0e0fff0ccbc21150be6bc635e9

SHA1
ae8fba82fbb346eed5e4d82b5a572755cd36bebb

SHA256
b18bc076d2fae55bafcacb98084b4e1ac9bc6cdf5368858804b224693fca1143

SHA512
65a679db15b9fd5bc069115538acc5157bf212b118e18e8a8e8a8b486f4487fe517782d27940453799bc72ec23f7c3f1a933bfff724a36334d449fb12746988a

Download Submit
memory/1868-123-0x00000000010B0000-0x000000000127C000-memory.dmp

Filesize
1.8MB

Download
memory/2328-117-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2328-121-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2396-129-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2396-21-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-20-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2396-16-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2396-17-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2396-18-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2396-19-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2396-15-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2396-14-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2396-13-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2396-12-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2396-11-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2396-10-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2396-9-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2396-8-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2396-6-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/2396-7-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2396-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2396-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2396-3-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2396-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-1-0x0000000000B30000-0x0000000000CFC000-memory.dmp

Filesize
1.8MB

Download