dcrat | 3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe
Size

2.5MB
MD5

0bc68db77e687fa52b2f367994c5bc6f
SHA1

ecf69c28aa53920f6279ad29d5bc9bb02542e841
SHA256

3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
SHA512

fdb5c57a9a86961e895159543196c9b59c810827d82d7610ab8f9e220125f25c1867eae376c2f2aa1ae19b7899cd746dc18f6a56486cd4449766325a135421a1
SSDEEP

49152:ubA3jUx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlHz:ubVdPpDYbNiIP2cvxZHz

Score

10^/10

dcrat discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 37 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1212	schtasks.exe
		5028	schtasks.exe
		4712	schtasks.exe
		628	schtasks.exe
		1424	schtasks.exe
		1648	schtasks.exe
		1208	schtasks.exe
		2640	schtasks.exe
		1156	schtasks.exe
		3304	schtasks.exe
		1204	schtasks.exe
		4572	schtasks.exe
		3660	schtasks.exe
		4212	schtasks.exe
		3836	schtasks.exe
		3520	schtasks.exe
		1836	schtasks.exe
		4724	schtasks.exe
		1668	schtasks.exe
		2876	schtasks.exe
		3372	schtasks.exe
		3692	schtasks.exe
		1460	schtasks.exe
		1988	schtasks.exe
		4940	schtasks.exe
		3180	schtasks.exe
		2460	schtasks.exe
		2816	schtasks.exe
		4316	schtasks.exe
		3096	schtasks.exe
		1252	schtasks.exe
		3164	schtasks.exe
		2680	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe
		2160	schtasks.exe
		2892	schtasks.exe
		2168	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\spoolsv.exe\", \"C:\\comSurrogatecontainercomponentRef\\OfficeClickToRun.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\spoolsv.exe\", \"C:\\comSurrogatecontainercomponentRef\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\comSurrogatecontainercomponentRef\\dllhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\spoolsv.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\spoolsv.exe\", \"C:\\comSurrogatecontainercomponentRef\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ModemLogs\\spoolsv.exe\", \"C:\\comSurrogatecontainercomponentRef\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comSurrogatecontainercomponentRef\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\dllhost.exe\", \"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\", \"C:\\comSurrogatecontainercomponentRef\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\""	SavesintoHost.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2140	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2140	schtasks.exe	91

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023c87-14.dat	dcrat
behavioral2/memory/4660-17-0x0000000000D10000-0x0000000000F4E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	SavesintoHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 14 IoCs

pid	Process
4660	SavesintoHost.exe
3644	unsecapp.exe
3288	unsecapp.exe
3048	unsecapp.exe
2092	unsecapp.exe
3944	unsecapp.exe
3004	unsecapp.exe
3528	unsecapp.exe
4472	unsecapp.exe
4212	unsecapp.exe
3288	unsecapp.exe
3292	unsecapp.exe
3296	unsecapp.exe
3880	unsecapp.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\comSurrogatecontainercomponentRef\\dllhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\ModemLogs\\spoolsv.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\comSurrogatecontainercomponentRef\\OfficeClickToRun.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\comSurrogatecontainercomponentRef\\System.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\comSurrogatecontainercomponentRef\\wininit.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\comSurrogatecontainercomponentRef\\wininit.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\sihost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\comSurrogatecontainercomponentRef\\OfficeClickToRun.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Portable Devices\\services.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default User\\TextInputHost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Reference Assemblies\\dllhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\comSurrogatecontainercomponentRef\\unsecapp.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\comSurrogatecontainercomponentRef\\dllhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\ModemLogs\\spoolsv.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default User\\TextInputHost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\comSurrogatecontainercomponentRef\\System.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Reference Assemblies\\dllhost.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\""	SavesintoHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\comSurrogatecontainercomponentRef\\StartMenuExperienceHost.exe\""	SavesintoHost.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SavesintoHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\ja-JP\66fc9ff0ee96c2	SavesintoHost.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	SavesintoHost.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	SavesintoHost.exe
File created	C:\Program Files\Reference Assemblies\dllhost.exe	SavesintoHost.exe
File created	C:\Program Files\Reference Assemblies\5940a34987c991	SavesintoHost.exe
File created	C:\Program Files\Internet Explorer\ja-JP\sihost.exe	SavesintoHost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\spoolsv.exe	SavesintoHost.exe
File created	C:\Windows\ModemLogs\f3b6ecef712a24	SavesintoHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	SavesintoHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe
5028	schtasks.exe
2460	schtasks.exe
3096	schtasks.exe
3836	schtasks.exe
1648	schtasks.exe
3164	schtasks.exe
3372	schtasks.exe
3660	schtasks.exe
3692	schtasks.exe
1668	schtasks.exe
2160	schtasks.exe
2680	schtasks.exe
2876	schtasks.exe
4940	schtasks.exe
1424	schtasks.exe
1252	schtasks.exe
3304	schtasks.exe
1988	schtasks.exe
4572	schtasks.exe
2816	schtasks.exe
1460	schtasks.exe
2168	schtasks.exe
1836	schtasks.exe
4712	schtasks.exe
4212	schtasks.exe
628	schtasks.exe
2892	schtasks.exe
1156	schtasks.exe
1212	schtasks.exe
4724	schtasks.exe
1208	schtasks.exe
3180	schtasks.exe
4316	schtasks.exe
1204	schtasks.exe
3520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
4660	SavesintoHost.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3644	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3288	unsecapp.exe
3048	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	SavesintoHost.exe
Token: SeDebugPrivilege	3644	unsecapp.exe
Token: SeDebugPrivilege	3288	unsecapp.exe
Token: SeDebugPrivilege	3048	unsecapp.exe
Token: SeDebugPrivilege	2092	unsecapp.exe
Token: SeDebugPrivilege	3944	unsecapp.exe
Token: SeDebugPrivilege	3004	unsecapp.exe
Token: SeDebugPrivilege	3528	unsecapp.exe
Token: SeDebugPrivilege	4472	unsecapp.exe
Token: SeDebugPrivilege	4212	unsecapp.exe
Token: SeDebugPrivilege	3288	unsecapp.exe
Token: SeDebugPrivilege	3292	unsecapp.exe
Token: SeDebugPrivilege	3296	unsecapp.exe
Token: SeDebugPrivilege	3880	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4736	2036	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe	82
PID 2036 wrote to memory of 4736	2036	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe	82
PID 2036 wrote to memory of 4736	2036	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe	82
PID 2036 wrote to memory of 964	2036	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe	83
PID 2036 wrote to memory of 964	2036	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe	83
PID 2036 wrote to memory of 964	2036	3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe	83
PID 4736 wrote to memory of 4944	4736	WScript.exe	86
PID 4736 wrote to memory of 4944	4736	WScript.exe	86
PID 4736 wrote to memory of 4944	4736	WScript.exe	86
PID 4944 wrote to memory of 4660	4944	cmd.exe	88
PID 4944 wrote to memory of 4660	4944	cmd.exe	88
PID 4660 wrote to memory of 3580	4660	SavesintoHost.exe	131
PID 4660 wrote to memory of 3580	4660	SavesintoHost.exe	131
PID 3580 wrote to memory of 3528	3580	cmd.exe	133
PID 3580 wrote to memory of 3528	3580	cmd.exe	133
PID 3580 wrote to memory of 3644	3580	cmd.exe	136
PID 3580 wrote to memory of 3644	3580	cmd.exe	136
PID 3644 wrote to memory of 1468	3644	unsecapp.exe	141
PID 3644 wrote to memory of 1468	3644	unsecapp.exe	141
PID 3644 wrote to memory of 840	3644	unsecapp.exe	142
PID 3644 wrote to memory of 840	3644	unsecapp.exe	142
PID 1468 wrote to memory of 3288	1468	WScript.exe	145
PID 1468 wrote to memory of 3288	1468	WScript.exe	145
PID 3288 wrote to memory of 1036	3288	unsecapp.exe	147
PID 3288 wrote to memory of 1036	3288	unsecapp.exe	147
PID 3288 wrote to memory of 1560	3288	unsecapp.exe	148
PID 3288 wrote to memory of 1560	3288	unsecapp.exe	148
PID 1036 wrote to memory of 3048	1036	WScript.exe	152
PID 1036 wrote to memory of 3048	1036	WScript.exe	152
PID 3048 wrote to memory of 3876	3048	unsecapp.exe	155
PID 3048 wrote to memory of 3876	3048	unsecapp.exe	155
PID 3048 wrote to memory of 712	3048	unsecapp.exe	156
PID 3048 wrote to memory of 712	3048	unsecapp.exe	156
PID 3876 wrote to memory of 2092	3876	WScript.exe	158
PID 3876 wrote to memory of 2092	3876	WScript.exe	158
PID 2092 wrote to memory of 1256	2092	unsecapp.exe	160
PID 2092 wrote to memory of 1256	2092	unsecapp.exe	160
PID 2092 wrote to memory of 2288	2092	unsecapp.exe	161
PID 2092 wrote to memory of 2288	2092	unsecapp.exe	161
PID 1256 wrote to memory of 3944	1256	WScript.exe	163
PID 1256 wrote to memory of 3944	1256	WScript.exe	163
PID 3944 wrote to memory of 3780	3944	unsecapp.exe	165
PID 3944 wrote to memory of 3780	3944	unsecapp.exe	165
PID 3944 wrote to memory of 3404	3944	unsecapp.exe	166
PID 3944 wrote to memory of 3404	3944	unsecapp.exe	166
PID 3780 wrote to memory of 3004	3780	WScript.exe	168
PID 3780 wrote to memory of 3004	3780	WScript.exe	168
PID 3004 wrote to memory of 1828	3004	unsecapp.exe	170
PID 3004 wrote to memory of 1828	3004	unsecapp.exe	170
PID 3004 wrote to memory of 1336	3004	unsecapp.exe	171
PID 3004 wrote to memory of 1336	3004	unsecapp.exe	171
PID 1828 wrote to memory of 3528	1828	WScript.exe	173
PID 1828 wrote to memory of 3528	1828	WScript.exe	173
PID 3528 wrote to memory of 4160	3528	unsecapp.exe	175
PID 3528 wrote to memory of 4160	3528	unsecapp.exe	175
PID 3528 wrote to memory of 4304	3528	unsecapp.exe	176
PID 3528 wrote to memory of 4304	3528	unsecapp.exe	176
PID 4160 wrote to memory of 4472	4160	WScript.exe	179
PID 4160 wrote to memory of 4472	4160	WScript.exe	179
PID 4472 wrote to memory of 2348	4472	unsecapp.exe	181
PID 4472 wrote to memory of 2348	4472	unsecapp.exe	181
PID 4472 wrote to memory of 2400	4472	unsecapp.exe	182
PID 4472 wrote to memory of 2400	4472	unsecapp.exe	182
PID 2348 wrote to memory of 4212	2348	WScript.exe	184

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SavesintoHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe
"C:\Users\Admin\AppData\Local\Temp\3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\comSurrogatecontainercomponentRef\SavesintoHost.exe
      "C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\65GNcYSTbg.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3528
      - C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        "C:\comSurrogatecontainercomponentRef\unsecapp.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfaa7d44-8e6f-4b46-842f-a63670e4682c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e3ecb8-3c2f-4972-b081-9c6676338dde.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e584476-275d-4e61-beab-6c2ec4557e69.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210bf44b-1c88-47d9-869c-28facc4a2ced.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75bccacc-f563-4bd2-8376-72abe99c6d09.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83dad499-4e2d-42e6-acd7-54cf812f07ff.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ec8b71-ad9f-4620-8eb7-2c68aed1600e.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\101f156b-69a5-423f-99af-585a5c982dd1.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1134a9d-5e0f-4463-9773-3e74d7f0f3a3.vbs"
        23⤵
        
        PID:3552
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab45b3e-e219-4441-8ac8-6846ce46b31a.vbs"
        25⤵
        
        PID:888
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97c4c35-c657-4f7a-8e51-dcd10da2f1b0.vbs"
        27⤵
        
        PID:3964
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc521156-36af-4502-b62b-46213dd03691.vbs"
        29⤵
        
        PID:1448
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        
        C:\comSurrogatecontainercomponentRef\unsecapp.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fecd749-a199-49c5-af8e-157eff13335d.vbs"
        31⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92dba127-2ae9-4132-8029-7a2a15ea7ac1.vbs"
        31⤵
        
        PID:100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f582d6a-5739-488f-8a06-d6c2504123a3.vbs"
        29⤵
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\516c0e05-7eb7-4406-b0de-12460d0811fb.vbs"
        27⤵
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74c8fa75-ea44-4d98-ab2c-11690b0ee679.vbs"
        25⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe8b35b8-01d7-4668-8c1e-a070e4a16bf2.vbs"
        23⤵
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae93a9f-fae8-43d4-832a-0724f7617ff4.vbs"
        21⤵
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f83cae26-d92a-4686-a8a5-1f60ae7bc0e9.vbs"
        19⤵
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f849f9d-5ab4-4e14-b24c-126bad397ac7.vbs"
        17⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e518fc89-3f5e-4fe0-aeb9-e707164d6629.vbs"
        15⤵
        
        PID:3404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38328027-cad2-4aa1-9c39-5ac0c577c636.vbs"
        13⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ba73d14-550b-433e-9b5b-ebb0bf9021a2.vbs"
        11⤵
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb64954f-3e6e-4b4b-9ffb-57b053ca7588.vbs"
        9⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\327ee463-5ebd-46e2-b5e4-d8ff7db33cdd.vbs"
        7⤵
        
        PID:840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\comSurrogatecontainercomponentRef\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\comSurrogatecontainercomponentRef\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\comSurrogatecontainercomponentRef\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\comSurrogatecontainercomponentRef\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\comSurrogatecontainercomponentRef\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\comSurrogatecontainercomponentRef\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\comSurrogatecontainercomponentRef\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\comSurrogatecontainercomponentRef\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\comSurrogatecontainercomponentRef\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\comSurrogatecontainercomponentRef\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\comSurrogatecontainercomponentRef\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\comSurrogatecontainercomponentRef\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\101f156b-69a5-423f-99af-585a5c982dd1.vbs

Filesize
725B

MD5
5bb604f065af72024d48b187efa493e4

SHA1
d843b703a02b20af3516560cc7d45001ea254036

SHA256
395fbea6c42417a3942721abb593651497b4c0e7820b416348a270894e18ceac

SHA512
ad113033a17baf486060007702651ec9794f94e3845adcc3909ddfc7d8a78961d4b893e321dd1923e8adb6d2baaaa6b573c9d8cc955a4a5bde2e57a34d43c46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\210bf44b-1c88-47d9-869c-28facc4a2ced.vbs

Filesize
725B

MD5
a0a8ef767828309534ab196e9daf86c0

SHA1
49cacd5e6875d0cf139d5904949f2fd15d4afa2f

SHA256
13982d66a0d4725ed7ff10ca0894e1d882c0091f31cac818b8a20d8155eb5cd9

SHA512
62d758a3f038fdab87b6b8be9357fac1cbc7b0fe36cc44ce88cbc2011b9a0722075248bcb1ff2dc37c77d31919dc103a887d59ff3215b0973acea1c752a1aaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\327ee463-5ebd-46e2-b5e4-d8ff7db33cdd.vbs

Filesize
501B

MD5
dcee82ed9c66991d994917bc7c0ef481

SHA1
2689fc289d44c93f7c7aa005c0f7f8ed6f936663

SHA256
d3279257d19a008a7e8d7c1a1ce65801b10e0b728dd81ce250c8f4b02d236ea0

SHA512
5ae4d43dc01aab1beb2c3743a9f805abc4b6c43e66a2f2671e8da636da2f2caff4759e04eb5baeb1ca91f963bf736e39fd794b464a9f467b1fa4e2d8f7d9e28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\33ec8b71-ad9f-4620-8eb7-2c68aed1600e.vbs

Filesize
725B

MD5
4a7228c839a1a2a7ca1150b1338b9558

SHA1
2fc38aedd0ecc7eedfee5891dd0c6d78dedd6b14

SHA256
04f82c2a22ca760bb1f8e4b507eb8ab3281cdd50736e6d996ae684f39e6025be

SHA512
97e4a48b0d62e8c75b348dc0954c68c9f3aba80046a4337f0450f9550a2ad4d0c73801987e36cc728d58dc7a4742c0b1d344f36d5b7c80ed23d084e062155986

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e584476-275d-4e61-beab-6c2ec4557e69.vbs

Filesize
725B

MD5
c18087db4386e0b6ab4bf1acd1c8c34f

SHA1
ea02b0e679852b76c25fa21860d63d4e159d1e23

SHA256
6f60cb9c2cba24b89db5c4bca32dd28fdcfb3d1726587e90422cc6b58b0a623b

SHA512
b559fc676ff3c4643c9a071e85aea83aa4a5b2d13d2a3e3bc8c40cbe9cc79bd593d0efe65e14bc4fca727b08d4d4f834868d60ca35dd087ec8eacfeb1a20b7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fecd749-a199-49c5-af8e-157eff13335d.vbs

Filesize
725B

MD5
e4ae883a3804e65e0d06711473b18386

SHA1
13bd6ccb57c98c63a161a8472e58da516c57e709

SHA256
897feba359067ff190d4157196ff231b5a64754f8e847a3a7cd736c07b91d35e

SHA512
d690093c8f15f84ca3ba03cd180cd27ee29bc6e212f38d8a3e2de3e7fa5effaa086c26e9c0f828d1aaa98aaa71a128061041f4d8eebc86302f13790e1b0633e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\65GNcYSTbg.bat

Filesize
214B

MD5
bc399a18991cccb9ee94c00b87a1e0bf

SHA1
d45bfde77452b5a513a9e6d00c52d131e8f134db

SHA256
b3468f68bc34c531351eb8d2108c59f938354e5b8ce255292dd42117063d4264

SHA512
4724e56d6b2387ebcec9f1617ea741eb1f57de172fddc8dfd27b254364ad39e8e06578aca06398cad081721e6da2acfbe042ab8e49aec598b5044382339ef257

Download Submit
C:\Users\Admin\AppData\Local\Temp\75bccacc-f563-4bd2-8376-72abe99c6d09.vbs

Filesize
725B

MD5
dfb96a0a85419d5870a5f17c718c530b

SHA1
47c2be85efcacba8b9b87392d76b4709aac88b88

SHA256
44f9a2b97afa949766e6a756cee040f0a7ce2b5899eac09210b72aa33481081e

SHA512
5283c9c99e0b3380875c5437ee0f316be0b8a7f2fffbcd0808291624014323ccf70495a6738489d030c111f174e008ec1cf5415dd9bd4d99a8b108fdf3d46fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\83dad499-4e2d-42e6-acd7-54cf812f07ff.vbs

Filesize
725B

MD5
996e2a7a4a98494ee42ca7984ff9ef05

SHA1
e3cabd754fe354c9181ffbb58d22dc47a8ec2929

SHA256
de590ed83589a149e5c595bad3bacb4ee0c888974cfebb0fc753579d4152c6b2

SHA512
cbb1ea25627896c4ad6f06ad79e317e75b86916c77d6fdc2add6828fb4cd9594bed05b98a01f6926b567fab8f402b8aa23828ab80c529b66dafd1e2a9dfbe972

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc521156-36af-4502-b62b-46213dd03691.vbs

Filesize
725B

MD5
e31afaefbd2b9d251bf65dbf23749c69

SHA1
7c97be81db9d65aa2725b23591013da5754b8a99

SHA256
54cf80cf399e41f4c46b07e5441eb7aeaece6cfc3903897b7611512ce27283bf

SHA512
846846715bbe7933597a3aeafe62798288724c95c703d36d35e88015f213448b61a125a86558ded837da2b88e848e0fe65008f927cabe07a58f7dd8cc6f9dc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1134a9d-5e0f-4463-9773-3e74d7f0f3a3.vbs

Filesize
725B

MD5
be4f205eb1166ae815d60a78ca91db62

SHA1
b6816462e6dfaf47f814b6cfeebb19c0dbe2c15b

SHA256
7464da5c7eea0736951d45eb7b6bf9f48d930dc17325960d68aa3b6d8e1f8f50

SHA512
6320b447dc0fdf0d0db82f998a7e89b8f4896c1694f2ee3ba2b6f765d660efa2226dbb0536995649f5413ba4b7e9696e1c172df848fc3d76abe82250f5b99ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d97c4c35-c657-4f7a-8e51-dcd10da2f1b0.vbs

Filesize
725B

MD5
62e199d0a9ded55d716d4625151f1d99

SHA1
84eb8f13f036e2d2f701f731a04c93ea93a6b494

SHA256
26136087393a73454cb8d1d40ddeab3e10a00de5c5c8535935b39e7554f292b5

SHA512
57bf8e5cc7aacef144bcc3debbc86464031ab301c41af8132e73977e5866dfb6ceb3170d1000f760d3298f73ae39e6d84ad6abe98394c82b5c9046e87595d09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfaa7d44-8e6f-4b46-842f-a63670e4682c.vbs

Filesize
725B

MD5
006f5055806558bb546dea24ca739aa9

SHA1
5f1e36d1ee86bf1b51370510bb9a8f3e22d16bf8

SHA256
84bd3300c23352848df33d8ee7fb7a5c29a5ef1dc437c6075c8f48109ac92e6a

SHA512
6d10676048e2365a23fb1e32180f45a500002b73300c062345afa983e112f2593e6bb47086242abdaf3c2057729115c4cb21b21b5b7a44f93bef02a31dce7bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9e3ecb8-3c2f-4972-b081-9c6676338dde.vbs

Filesize
725B

MD5
7f8518d90a4de27c083a00b412e768af

SHA1
494dcb1483f608dc58d24dec21b65cb6cb5da60d

SHA256
856c760914eb8026afe7fa81995976d656b594e0d13260c112f78ef2329b37ba

SHA512
f8deb5137d43e18c5e90367512bfd6df62b1e7c01d68283f6c0db282fc6f6b8813f4ffd110526ecef8a9384bb0eea3850322236fb037163c2bf53d763c82240b

Download Submit
C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe

Filesize
223B

MD5
5d646684debbc53c0c7ec5fa65f23216

SHA1
c161dec715fcc4156442fc30eaf6b3d0caddfb17

SHA256
cddd4a030f867acb39a0e7697732cbd57bb2e5e9f0d81fc1e7d752d57c1ee195

SHA512
e6518ff37848e7e92d9b820b3eecea2a0d0d85fd6804a8b4f4adf56154aa1a1d5433c3333d469bc8e2ffb9f4ebb4445f979467f970f9155774a670fe5446c19a

Download Submit
C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat

Filesize
56B

MD5
cbba91293fed3dfb5a3a0cd0ec53b505

SHA1
6d66eaa19e366c386d006b8b782cda171c359c43

SHA256
062cff19b7be8c7d9c9941f75b9225982eb3799a766ee73659251f7d0c0b299d

SHA512
a97640da0d86256b3512d84c9a5120e41cb7ed47f3a61f8f4f6212804034a8e19a99fc35a3b91804734c93279b74b23737e31e224152d3e6a17e113fd4bca0f4

Download Submit
C:\comSurrogatecontainercomponentRef\SavesintoHost.exe

Filesize
2.2MB

MD5
3aa1bbd17d68b0b67b7423f1fe09b05b

SHA1
61c43b8f31a51d772fd39d5caa87699d74971a43

SHA256
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474

SHA512
7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014

Download Submit
C:\comSurrogatecontainercomponentRef\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
memory/2092-130-0x000000001CBB0000-0x000000001CCB2000-memory.dmp

Filesize
1.0MB

Download
memory/3004-154-0x000000001CB60000-0x000000001CC62000-memory.dmp

Filesize
1.0MB

Download
memory/3048-118-0x000000001D020000-0x000000001D122000-memory.dmp

Filesize
1.0MB

Download
memory/3644-84-0x0000000002CB0000-0x0000000002CC2000-memory.dmp

Filesize
72KB

Download
memory/3944-142-0x000000001CB00000-0x000000001CC02000-memory.dmp

Filesize
1.0MB

Download
memory/4660-27-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/4660-34-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

Filesize
32KB

Download
memory/4660-38-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/4660-40-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/4660-42-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/4660-41-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/4660-43-0x000000001C450000-0x000000001C45A000-memory.dmp

Filesize
40KB

Download
memory/4660-44-0x000000001C460000-0x000000001C46E000-memory.dmp

Filesize
56KB

Download
memory/4660-47-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/4660-49-0x000000001C6C0000-0x000000001C6CA000-memory.dmp

Filesize
40KB

Download
memory/4660-46-0x000000001C480000-0x000000001C488000-memory.dmp

Filesize
32KB

Download
memory/4660-45-0x000000001C470000-0x000000001C478000-memory.dmp

Filesize
32KB

Download
memory/4660-50-0x000000001C6D0000-0x000000001C6DC000-memory.dmp

Filesize
48KB

Download
memory/4660-48-0x000000001C4A0000-0x000000001C4A8000-memory.dmp

Filesize
32KB

Download
memory/4660-37-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

Filesize
48KB

Download
memory/4660-36-0x000000001C9F0000-0x000000001CF18000-memory.dmp

Filesize
5.2MB

Download
memory/4660-35-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

Filesize
72KB

Download
memory/4660-39-0x000000001C410000-0x000000001C41C000-memory.dmp

Filesize
48KB

Download
memory/4660-33-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

Filesize
48KB

Download
memory/4660-32-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

Filesize
32KB

Download
memory/4660-31-0x000000001C390000-0x000000001C39C000-memory.dmp

Filesize
48KB

Download
memory/4660-30-0x000000001C380000-0x000000001C38A000-memory.dmp

Filesize
40KB

Download
memory/4660-29-0x000000001C360000-0x000000001C370000-memory.dmp

Filesize
64KB

Download
memory/4660-28-0x000000001C350000-0x000000001C358000-memory.dmp

Filesize
32KB

Download
memory/4660-22-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/4660-24-0x000000001C1C0000-0x000000001C1D6000-memory.dmp

Filesize
88KB

Download
memory/4660-25-0x000000001C1E0000-0x000000001C1E8000-memory.dmp

Filesize
32KB

Download
memory/4660-26-0x000000001C1F0000-0x000000001C202000-memory.dmp

Filesize
72KB

Download
memory/4660-23-0x000000001C1B0000-0x000000001C1C0000-memory.dmp

Filesize
64KB

Download
memory/4660-21-0x000000001C200000-0x000000001C250000-memory.dmp

Filesize
320KB

Download
memory/4660-20-0x000000001BB30000-0x000000001BB4C000-memory.dmp

Filesize
112KB

Download
memory/4660-19-0x0000000003020000-0x0000000003028000-memory.dmp

Filesize
32KB

Download
memory/4660-18-0x0000000003010000-0x000000000301E000-memory.dmp

Filesize
56KB

Download
memory/4660-17-0x0000000000D10000-0x0000000000F4E000-memory.dmp

Filesize
2.2MB

Download