dcrat | 54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Size

1.8MB
MD5

7ef44e6c54801a42dc9cff0bf0459036
SHA1

45322aee2375b98a8b443e08d5e9f58ac10e9e2d
SHA256

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab
SHA512

dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250
SSDEEP

49152:ZWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:DKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2852	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2852	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2316-1-0x0000000000A50000-0x0000000000C1C000-memory.dmp	dcrat
behavioral1/files/0x00060000000160da-30.dat	dcrat
behavioral1/files/0x000a0000000156a8-106.dat	dcrat
behavioral1/files/0x000a000000016890-163.dat	dcrat
behavioral1/files/0x000c000000016b86-199.dat	dcrat
behavioral1/files/0x0009000000016d68-221.dat	dcrat
behavioral1/memory/2064-291-0x00000000012E0000-0x00000000014AC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2320	powershell.exe
1828	powershell.exe
1220	powershell.exe
1792	powershell.exe
1508	powershell.exe
1848	powershell.exe
972	powershell.exe
2340	powershell.exe
1900	powershell.exe
1344	powershell.exe
2160	powershell.exe
1884	powershell.exe
936	powershell.exe
352	powershell.exe
2380	powershell.exe
3064	powershell.exe
2428	powershell.exe
2088	powershell.exe
1044	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	smss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\services.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXA7A4.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\24dbde2999530e	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX9BA9.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX9DBD.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXA7A3.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\c5b4cb5e9653cc	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX9DBC.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\services.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX9BA8.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\69ddcba757bf72	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\SchCache\dwm.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\AppCompat\Programs\386634bf1a3ceb	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\SchCache\dwm.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\SchCache\6cb0b6c459d5d3	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\Boot\wininit.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\AppCompat\Programs\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX9472.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\SchCache\RCXABCD.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\RCXADE2.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\schemas\EAPHost\lsm.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX9471.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\AppCompat\Programs\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\SchCache\RCXABCC.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\RCXADE1.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008e1caba9ee07174fb569e029e0f8332700000000020000000000106600000001000020000000c56b6d7ea0af2055d023b9bcd5a97f180f2bb85a7a7f02b985101317f3081057000000000e80000000020000200000004399627555bc49af6225ec42cb78f47ab0240723292b3c9b5b726ba3be752c6f200000004f78a39fa8fefe7acd1796cea6f49fa3ca687117ecea1412a0a5d61a0b875a4940000000e0bce80156e6526fd01c8631e0ac0906babd0dbcd4f3b67d954ba7c84ca570a887bd5eab5fb2bfa58d0ebec3f67f161cc7bc557824bb55dbb93589440b13c169	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{82131071-B444-11EF-8318-F2DF7204BD4F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008e1caba9ee07174fb569e029e0f83327000000000200000000001066000000010000200000006fbcc29d385901abd04980150edf824bd56311c103caa6a5caced8d03c2ad39e000000000e8000000002000020000000f68c32e368c66a5358281c066723e3513848f21c328f609161f19f81bf7ea66a90000000612ea0beb85d1bad7a691962eb6df2d267d319f438388af7168f15437994f7efe19b02c884efba87d21b799aa4ab7327b9d9db31b1d432ea32fee7d8031aa3eec1ed7be8c0f493dc53fb1ee3a765d910e77a230858e525506e7b62db17b97a302f2c422f9b0c4e5d5ada5c07280ace5d3b36fa0c6c512785aea2c402ffb1316eca800101fccc605b724fece9bd80a6eb40000000c88bb3944ac4dc8f6ac2b1e85150b4518b133d987957bfdae70ac387a0708185ab326f375d474e07011db116a9e5cb4247e0895058a3b792b20cf2d1c18bfdc3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439701048"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200876595148db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe
2372	schtasks.exe
2660	schtasks.exe
1988	schtasks.exe
2676	schtasks.exe
840	schtasks.exe
1680	schtasks.exe
864	schtasks.exe
680	schtasks.exe
1760	schtasks.exe
1156	schtasks.exe
1884	schtasks.exe
2936	schtasks.exe
2784	schtasks.exe
2972	schtasks.exe
1848	schtasks.exe
2116	schtasks.exe
332	schtasks.exe
1036	schtasks.exe
2364	schtasks.exe
2504	schtasks.exe
2864	schtasks.exe
2560	schtasks.exe
2924	schtasks.exe
320	schtasks.exe
2296	schtasks.exe
2208	schtasks.exe
2056	schtasks.exe
2916	schtasks.exe
2096	schtasks.exe
1204	schtasks.exe
2156	schtasks.exe
1900	schtasks.exe
1756	schtasks.exe
2860	schtasks.exe
1676	schtasks.exe
828	schtasks.exe
2064	schtasks.exe
2748	schtasks.exe
2564	schtasks.exe
2000	schtasks.exe
1736	schtasks.exe
2076	schtasks.exe
1584	schtasks.exe
1496	schtasks.exe
936	schtasks.exe
1444	schtasks.exe
776	schtasks.exe
348	schtasks.exe
740	schtasks.exe
3044	schtasks.exe
2200	schtasks.exe
2452	schtasks.exe
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
1508	powershell.exe
2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
352	powershell.exe
1900	powershell.exe
1044	powershell.exe
2340	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2064	smss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2064	smss.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1480	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1480	iexplore.exe
1480	iexplore.exe
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3064	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	85
PID 2316 wrote to memory of 3064	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	85
PID 2316 wrote to memory of 3064	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	85
PID 2316 wrote to memory of 2428	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	86
PID 2316 wrote to memory of 2428	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	86
PID 2316 wrote to memory of 2428	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	86
PID 2316 wrote to memory of 2320	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	88
PID 2316 wrote to memory of 2320	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	88
PID 2316 wrote to memory of 2320	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	88
PID 2316 wrote to memory of 972	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	90
PID 2316 wrote to memory of 972	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	90
PID 2316 wrote to memory of 972	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	90
PID 2316 wrote to memory of 2340	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	92
PID 2316 wrote to memory of 2340	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	92
PID 2316 wrote to memory of 2340	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	92
PID 2316 wrote to memory of 2088	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	93
PID 2316 wrote to memory of 2088	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	93
PID 2316 wrote to memory of 2088	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	93
PID 2316 wrote to memory of 1044	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	95
PID 2316 wrote to memory of 1044	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	95
PID 2316 wrote to memory of 1044	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	95
PID 2316 wrote to memory of 1828	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	96
PID 2316 wrote to memory of 1828	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	96
PID 2316 wrote to memory of 1828	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	96
PID 2316 wrote to memory of 1900	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	98
PID 2316 wrote to memory of 1900	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	98
PID 2316 wrote to memory of 1900	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	98
PID 2316 wrote to memory of 2380	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	100
PID 2316 wrote to memory of 2380	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	100
PID 2316 wrote to memory of 2380	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	100
PID 2316 wrote to memory of 352	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	101
PID 2316 wrote to memory of 352	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	101
PID 2316 wrote to memory of 352	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	101
PID 2316 wrote to memory of 2160	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	103
PID 2316 wrote to memory of 2160	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	103
PID 2316 wrote to memory of 2160	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	103
PID 2316 wrote to memory of 1220	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	105
PID 2316 wrote to memory of 1220	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	105
PID 2316 wrote to memory of 1220	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	105
PID 2316 wrote to memory of 1884	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	106
PID 2316 wrote to memory of 1884	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	106
PID 2316 wrote to memory of 1884	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	106
PID 2316 wrote to memory of 1792	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	108
PID 2316 wrote to memory of 1792	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	108
PID 2316 wrote to memory of 1792	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	108
PID 2316 wrote to memory of 936	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	109
PID 2316 wrote to memory of 936	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	109
PID 2316 wrote to memory of 936	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	109
PID 2316 wrote to memory of 1344	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	110
PID 2316 wrote to memory of 1344	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	110
PID 2316 wrote to memory of 1344	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	110
PID 2316 wrote to memory of 1508	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	111
PID 2316 wrote to memory of 1508	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	111
PID 2316 wrote to memory of 1508	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	111
PID 2316 wrote to memory of 1848	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	112
PID 2316 wrote to memory of 1848	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	112
PID 2316 wrote to memory of 1848	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	112
PID 2316 wrote to memory of 2064	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	123
PID 2316 wrote to memory of 2064	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	123
PID 2316 wrote to memory of 2064	2316	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	123
PID 2064 wrote to memory of 3068	2064	smss.exe	124
PID 2064 wrote to memory of 3068	2064	smss.exe	124
PID 2064 wrote to memory of 3068	2064	smss.exe	124
PID 2064 wrote to memory of 344	2064	smss.exe	125

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
"C:\Users\Admin\AppData\Local\Temp\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\MSOCache\All Users\smss.exe
  "C:\MSOCache\All Users\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d4bc4f-db10-453f-9469-63d5d005f0c7.vbs"
    3⤵
    PID:3068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4cad890-c3a5-422b-b4c7-c54af6732297.vbs"
    3⤵
    PID:344
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:13576/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1480
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab5" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab5" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab5" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab5" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SchCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\smss.exe

Filesize
1.8MB

MD5
7ef44e6c54801a42dc9cff0bf0459036

SHA1
45322aee2375b98a8b443e08d5e9f58ac10e9e2d

SHA256
54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

SHA512
dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

Filesize
1.8MB

MD5
ad3f434eac7724fd748c1d49a91f36b0

SHA1
c49219e708dc12a8455f49ecc9dd38b2ee3ad2ab

SHA256
a7a5a886f2214016162796639e3229dbe1e5c19f5c0d37a7883f10944420e1f2

SHA512
b16c086f5d5ffba17d755fdf389ba746730c96f0e9954f77c699e77f15f9f8d3422c4ba8d1b394a79e6b277361508cae3e704cae000bd6deb846f7c70e4ee42e

Download Submit
C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\services.exe

Filesize
1.8MB

MD5
8c48be2621a7b1b46b406838d00dbc78

SHA1
bf44792cbb14e79f8dc18c42fe66c40dbdd73286

SHA256
324f91acb6fc40bc04b837785a3abd921bc200b7bf6869ec2c6dec1b8fb70aa7

SHA512
12afae1646c1e631fca8cef2326954a0c2f3d0b8ac8d7c1db4841af8c6bc9ac08151860755599c372499224be68c42b489c932e1db4e395bb7fb4edea83939a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b1c4cc9171a5afcf0c4214ded7938bc

SHA1
858323e761cc1270ad9ae9edbd3d0cdb196ceab1

SHA256
3ea6ea6c309b5cf1d1394311d84e10b2871e1a6137310abc0bca924c9d9dc6ff

SHA512
e9a4acd770ccb2eea81b5ac1f2e6bacd9a3c1982ba997f2cbd082200e7752dac3bd77308a47d4eee52351cf545b55c322d6ca91d1803e3627f3cffd9e05b8467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2d075632eea37471d6316181a56eed2

SHA1
1e60474a9f93a03da2aca7ac13826594aef7a48b

SHA256
8a9e0250dae10aff9bcd4db812b36fcb1cc221a2e4b96c7c83f90b82c60eed82

SHA512
c2ac2d2108c0db63194f12d27b737f6cb66082053da96632e84b25ff904fcbbfe08c9691fa08edb8316dd11b7b27b4a64629f0eeb814d9d5df28cfc6c8213ce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d67a0a216a0f1361a1a1c703534c638

SHA1
e9a3954a1993c8c2bafca2c17288362f330a8ce6

SHA256
625564837513e495bbd37b014398d078817bb8f5f82469b1c880d76cafe25cfe

SHA512
3207d69609bb0b5a9a9c59b19fa2abde44829573dac9af0e05701c4c8f47d1aa346d459d158700e1e1d091e9214d70fececc9ae0a77b14aff1d5d2870f611bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c46789d5f8ecb059670643f6b2ac91d

SHA1
96ba8c5558973bff83d5daf2b168092c36411956

SHA256
69dabeaf0adb8b21e20c37fe034bb13d3cef2390407539fd8b7adb09924efddf

SHA512
37aac8a82134a062dd863b014fbd2f1a15e7e38def4e2169bee8d857a9e500080f50959fcb4b284395fdac9570eb40693f67729a578e84ad74b39ee170493b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddbb2ff7a846efdd835165bb3e0c9ff4

SHA1
ee4cf1fb55e7b2de7a6bf2147413bcbc8f87cf3c

SHA256
6c67c08d9d0121d638dffaa0dee945876aa92feab814a28c781448ccc5cbfe1e

SHA512
71574db2a078e0fb1b0c6185e424f01c920ffbb9be6f0b52cb6df3e8df4b926689062cd7aeb91ce83e8ff69f6104b142d5f824bae456460d6680b086542f6e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41e27e27aecc0a18081b31dd4449006c

SHA1
7a2cc783b7d1918e2cabe3b514ce48d56fd61798

SHA256
c24c56786ec82b9cafde8c5b5707a28eb386caea9a6de044bae066fed9c526de

SHA512
fa7816f949c4485068fdcb76dc1a19b708be25e996fa69697bbb7463a0ed42fc8ee3b338ae2a57e28c49dea703fecc3352e24761514930d2534ac0ffcf0614a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b457ae9d14efe05af97e50735fc3287

SHA1
1eb9401d57ed2c48327c97bb716cbb6da5f42c70

SHA256
00b07fd6706ace4cc106198b07e0c1c94cf446757d30eb01737a05fb1f99cd7c

SHA512
e22673865a5e83757f1d99a34cec3a30bd66a0310993d15a1c145cf7e8fdd146695ea989b17fcef6d0cee2a835ddf97874654e6a8cc5d2b704bfba9630a62cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a3569621cc884ccfbee9ad8700a2586

SHA1
8c0fa8a96f1c92bdd1ad8c2757e7e5e25588b6c0

SHA256
dc4a7325b165448b5899946d315a09f541dd3aa1f95496f2135731d735236498

SHA512
678223e59d9acb2d4be5a8be4a8528bdf3dfe7f3f9b45b716dacf0e92b66a28d78f1d6e66aff6a812a1b8698d507f722228ff1f1870b6290baa5dd852236d7fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4301a96eb4c7a78aeb15b2750fa695cf

SHA1
e0473f16096f73c4cf3a3f18a17e03593a7230f4

SHA256
79e5575900fd98616fa75d0c25614c50ac015d81f8285458fffd4bed7762245e

SHA512
ab54c9b26080bace61a21519df25f78ad96ca9eba0c8161ef70806e229e28e2f14222d5f4caa8ac698990f0873ec4a40823d88784a8a19109a733c8a94fb227d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae84bc44c326b8c2a4f190f3841b834c

SHA1
dbee5179a2b02f5e101fd1aaba1fcc38f3e053b4

SHA256
639bf20ab37e0a2e5108f61f86b7daefad9c43eb2d247a15decd868aee45dd6a

SHA512
26b435dcf27b71a95b9554ed5a25c452e1467de34c8586c2f42146a41d9818878a8e2d63e3302920cfd9cfe135ba3618b63324f2809101ea3088aa195b69f1a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27234e9742dce2b987217609f5975388

SHA1
0392d866e3d7d532b8a25b52831ccbe7d0a0fb62

SHA256
df1d18dade7423bf412b1051c5ff6e9730170756f057a027a0e45b9a195bef68

SHA512
f196db2c285ad439a73203a7e61d7ccaa45b866d5523aa8e947fea9cb779883ac2684cce1860f0d61d33978fb0a265ad3b42c271bed8e689ee3646f4a86a123f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ff16fdaae005328def2c84a02ba6c8

SHA1
77d9d5c1c4865a0962a71344cdff44c2f460d973

SHA256
ad2f8291eb795eecf4c18c519fc4b759b8ff1aa7f9595ce6af272bd1f1ec0133

SHA512
0f8dbfff88c612a11c0c33ace9e8bbbd6c5ab91d0639acffb8cd0d68855c4b945afd5886efcd390ad04cf59c23ea846852d5c98c972998056e4a9142ecc364fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c211765b732f30f2d01f50d67d537d2c

SHA1
7da09f9a58455646195235ed6cdfecc0eb327564

SHA256
29c56ce7fe17397872a359dfca093cd98072ee9b1192992d8c498587c197a322

SHA512
07dc8d7dbdc47dd4ebd4befa5232cf613f871c34e952a0281eb7aec6f1995908f7106fefc7511c76c3a400cb07813acc934ee759d5ee86dc59e2495a3fec38f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fd2c1d2ca99e6caec71beb91577aaad

SHA1
70fcb9431803dea5f5ea701da80136e0d4d2b90f

SHA256
9c6ef6fc1cdb24fd9bbb596de6bcce3b8716940c84cf398b225f83732ad91f3e

SHA512
c02615b0b62566fe235b9d44c58399b5cfd07a621e9a4b6902bd5f0d603d5d300b2317a2fa6811797dbbad7d19de9ef7e5d7e49fbeb6556e7d5bf981b87decba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fdc58c8315da081bb71d84d5b16f6bc

SHA1
5b70ffac6203f63af7c24ada4fdd7918d3143818

SHA256
a10d3692e4b849555391e2d4222abe4b9a2cadcce8e19e88e26b41b28107d907

SHA512
486de1f7ebd6452970792b6a3f7c9f029c7f41f781c5e5181ae9f2f4744ea833bf10e7dc2f0697e2af838ab5a36d2397e94a61682c03dfd38038cc382184cf99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236170e3e50b201164353ef57523efc5

SHA1
228d3a05250c3f205ba85b9f8520dcf3f494aec3

SHA256
2a7b9e1ceee4636c19b929ff1ce2b6ae30596712bde5bd04cbef337a81799f63

SHA512
b6aa60f9a8bd9e2ee9ca23a6e9ac8a11f810303f5474bc63182bf9f9ed73691e529f853455ed9e9c0e6c679e46fddddd25897691540d9d0145a267a162174b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2a06b0ea5ff6ba3d50ae8f28c28cda6

SHA1
9a606840d2c86b2508a1ae33da22a7fdd0c6d8d8

SHA256
00e254f527f2444a060df3b43ae02d6ed5a9ca146fd921ca59ad2bef8a23e099

SHA512
521bc39e38ec204d76e3f728bff18a3719de7482812201a1f523e35b24119ff3d37b18dfbba192fbd89dce3696e1694d21bcbbf074406e87683a88be69b33e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d71b9dc072c257174ede277dc6f58b36

SHA1
0932e6f551e6503caf490460976ce77cd17bdbcf

SHA256
f1c6f23ca2f954ce76dfbfb7d2bcd214ff6cd572a33b2b6fc6bb138c00acf1ea

SHA512
9ae111356cbd4f81f0bcf73edfed867e8cd66bd8e7ab43d5e6400b14d4f78d4177f7ca662142343c9795448d8ea29a58d1135179d15525254f5047c05f375141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58cf650ad2efbdfa9364b313f5d5aef4

SHA1
82eb2157c8b61e0415d64cfb921c75384c3ed36f

SHA256
9fab8617fa6dfc96ce0071d2dae20cd9f15f9e65d797859fd4a9abb932e997e6

SHA512
78dfb63b6a93776eb7410f7eb919e92e2e374359348f5c768d7e9dc6e48829ad10880ebadc42ef075c56a0b81a6c6b56b61ee2969e1b3e2be4d2a80cdcef4b67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd0069cc5a90b8c261e74b37c837d14f

SHA1
809ae07a689f5648073dca3e9044301e4bc46092

SHA256
d83be596ee1a3087b979404ceb322ff752d8704c263b203eb5369fe1531991b1

SHA512
1b745c290a14e75aa940545ea07037449b4e1c90a63c76e8370f508fe2cfa260064af23199ddbc1634cb1b8076d4dafa5d9e19b317fceab2d264512a48d0eab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d21468f003eb6e3ef7c066416f154f7b

SHA1
8f44673a8b20c8f9b734c63d5ddeb664590f64fe

SHA256
f2749dfcd7387602b61eacbc6eeb14215587ba53b8dc97aa4f537a09991e0cf1

SHA512
a957e4668acd65e0aa92143ec013fb8b963745892c6693a1a038dde3733188f49179a2bfcdd63906e082be4cdbd5c5b87a5bfd3d18cdad9bc396a548b1c75ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\00d4bc4f-db10-453f-9469-63d5d005f0c7.vbs

Filesize
706B

MD5
b7cd2a0fad447c84bd07ca3e4b5af2e7

SHA1
6ab7dd79ffbfea981db648e55eceb0925074cc35

SHA256
cb324c9da1dc76f06ad4bc6de192c954880891ba64826ef3bca2ead91636ecbf

SHA512
691e668ef88b3cd89793ed3be3d96dcfc0682a676217f42ba88390d54ba0250da94ff988ae6623b010a919a185119c822943f2b3eb417372c6bbf44a17fb4baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab120D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar129D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4cad890-c3a5-422b-b4c7-c54af6732297.vbs

Filesize
482B

MD5
c62f1592a181763a3fa40b491a94c5ff

SHA1
6d6ff511e87f5c8693c6172f881e96eebd8a865a

SHA256
5e7441a9e13f6700395cfe718e25df25555f14029056aa983e29ceea3a21ce74

SHA512
480b2666a60d73a2cb804a3bd068714baa96a4a3311ddbfd4ee2e75b27bcd0d768e47490a8efcf3c250a9b05b60159888e9dc7da68dc49b6726f277195496b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ee3b60ed6487672b6152cf9e108250e

SHA1
4f8d4edcb5a4a5abc4a265409a7e1ff9c5a55637

SHA256
6645d71638d6893e51ef50d7c8f31225f605530c68dd52def388e6c04e6d4fb6

SHA512
1dab66d46f2cc4e89d4d680644d964bd3cf15461de0f8a81c19bc1a1289cf5da13a1770545d88c8841558aa84c3cd77bd7d378487ee78439d65400f5a8789800

Download Submit
C:\Users\Admin\Saved Games\System.exe

Filesize
1.8MB

MD5
bf0098b306cadd6902764b3d53075e65

SHA1
7fdb46cfa16ee4f9b263903685518294cdc8ee97

SHA256
776db6f1f2ee5682bf964925cdf824924ca7f5f9b298e129616f2e5b0ce0f8e0

SHA512
b21fe878bc1d40af3ea7dd4c823a51889a0945b6fd45d84cce955b725cc3403cd967dda96011bbbd8923c0a23040ffd0a9d46ca4dccf8ef8a3d963a3fbcd506d

Download Submit
C:\Users\Default\taskhost.exe

Filesize
1.8MB

MD5
e69385c5220779d0d95b44a5a3d2ac62

SHA1
e6d3617138e2e14f818f5970c54eec119f1a5b5c

SHA256
57b92ad0ca7e868d061cff7f679ef1736148ee71b0a55a5b21eee163850c27be

SHA512
887400743e191285b2298bca1dd4317eabae9a244398db511214cfc294046b49b1f8ec006a9c2be41175cbe811526ed8b2bfdd753f2783de3a6dd34a1fe6c4db

Download Submit
memory/1508-279-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/1508-284-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2064-291-0x00000000012E0000-0x00000000014AC000-memory.dmp

Filesize
1.8MB

Download
memory/2316-15-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2316-225-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-13-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2316-12-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2316-178-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2316-23-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-20-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2316-19-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2316-18-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2316-17-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2316-16-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2316-14-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2316-1-0x0000000000A50000-0x0000000000C1C000-memory.dmp

Filesize
1.8MB

Download
memory/2316-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2316-202-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-11-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2316-10-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2316-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2316-8-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/2316-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2316-6-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2316-5-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2316-4-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2316-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2316-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-308-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download