dcrat | 26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Size

1.5MB
MD5

a5fab16bfd5f2f5b2beef03fc634c78b
SHA1

e2876e25315d4109734bd0ffa2e3d50db7550f5e
SHA256

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7
SHA512

a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRQ:EzhWhCXQFN+0IEuQgyiVK4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1508	schtasks.exe
		1604	schtasks.exe
		1728	schtasks.exe
		2192	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
		2772	schtasks.exe
		2216	schtasks.exe
		568	schtasks.exe
		2160	schtasks.exe
		2728	schtasks.exe
		2696	schtasks.exe
		1100	schtasks.exe
		2788	schtasks.exe
		2188	schtasks.exe
		2628	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\", \"C:\\Windows\\System32\\sppcext\\taskhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\", \"C:\\Windows\\System32\\sppcext\\taskhost.exe\", \"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\wmipicmp\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\", \"C:\\Windows\\System32\\sppcext\\taskhost.exe\", \"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\wmipicmp\\WmiPrvSE.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dwm.exe\", \"C:\\Users\\Default\\SendTo\\wininit.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\", \"C:\\Windows\\System32\\sppcext\\taskhost.exe\", \"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\", \"C:\\Windows\\System32\\sppcext\\taskhost.exe\", \"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\wmipicmp\\WmiPrvSE.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dwm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\", \"C:\\ProgramData\\Templates\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\wship6\\csrss.exe\", \"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\", \"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\", \"C:\\Users\\Admin\\Pictures\\conhost.exe\", \"C:\\Windows\\System32\\sppcext\\taskhost.exe\", \"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\", \"C:\\Windows\\System32\\wbem\\wmipicmp\\WmiPrvSE.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dwm.exe\", \"C:\\Users\\Default\\SendTo\\wininit.exe\", \"C:\\Windows\\System32\\wbem\\secrcw32\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2060	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2060	schtasks.exe	28

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3028	powershell.exe
2640	powershell.exe
2020	powershell.exe
1928	powershell.exe
2740	powershell.exe
1760	powershell.exe
2620	powershell.exe
1804	powershell.exe
1744	powershell.exe
772	powershell.exe
1276	powershell.exe
2712	powershell.exe
2040	powershell.exe
2316	powershell.exe
2016	powershell.exe
2736	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Executes dropped EXE 10 IoCs

pid	Process
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2032	wininit.exe
2724	wininit.exe
1548	wininit.exe
620	wininit.exe
2560	wininit.exe
1352	wininit.exe
3020	wininit.exe
1708	wininit.exe
2384	wininit.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\wship6\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\SendTo\\wininit.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\secrcw32\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sppcext\\taskhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Templates\\lsm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\PeerDistSvc\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\SendTo\\wininit.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sppcext\\taskhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistMSI1E4E\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wmipicmp\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wmipicmp\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dwm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\NlsLexicons0414\\sppsvc.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7 = "\"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7 = "\"C:\\ProgramData\\Templates\\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\Pictures\\conhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\wship6\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\Pictures\\conhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\dwm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\secrcw32\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\smss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Templates\\lsm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\System32\NlsLexicons0414\sppsvc.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\NlsLexicons0414\0a1fd5f707cd16	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wbem\secrcw32\WmiPrvSE.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\sppcext\taskhost.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wbem\wmipicmp\WmiPrvSE.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wship6\csrss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\NlsLexicons0414\RCX9583.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\sppcext\taskhost.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\PeerDistSvc\886983d96e3d3e	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\wmipicmp\WmiPrvSE.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\secrcw32\WmiPrvSE.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\sppcext\b75386f1303e64	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\PeerDistSvc\csrss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wship6\csrss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wship6\886983d96e3d3e	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\DeviceDisplayObjectProvider\RCX8B70.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\DeviceDisplayObjectProvider\smss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wship6\RCX917B.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\NlsLexicons0414\sppsvc.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\wmipicmp\24dbde2999530e	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\secrcw32\24dbde2999530e	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\DeviceDisplayObjectProvider\smss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\DeviceDisplayObjectProvider\69ddcba757bf72	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\PeerDistSvc\csrss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1728	schtasks.exe
2788	schtasks.exe
2772	schtasks.exe
1508	schtasks.exe
1604	schtasks.exe
2160	schtasks.exe
2192	schtasks.exe
2216	schtasks.exe
568	schtasks.exe
1100	schtasks.exe
2188	schtasks.exe
2728	schtasks.exe
2696	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1276	powershell.exe
2016	powershell.exe
2316	powershell.exe
2020	powershell.exe
772	powershell.exe
1744	powershell.exe
1804	powershell.exe
2040	powershell.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2736	powershell.exe
1760	powershell.exe
3028	powershell.exe
1928	powershell.exe
2712	powershell.exe
2620	powershell.exe
2640	powershell.exe
2740	powershell.exe
2032	wininit.exe
2032	wininit.exe
2032	wininit.exe
2032	wininit.exe
2032	wininit.exe
2032	wininit.exe
2032	wininit.exe
2032	wininit.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2032	wininit.exe
Token: SeDebugPrivilege	2724	wininit.exe
Token: SeDebugPrivilege	1548	wininit.exe
Token: SeDebugPrivilege	620	wininit.exe
Token: SeDebugPrivilege	2560	wininit.exe
Token: SeDebugPrivilege	1352	wininit.exe
Token: SeDebugPrivilege	3020	wininit.exe
Token: SeDebugPrivilege	1708	wininit.exe
Token: SeDebugPrivilege	2384	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1804	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	36
PID 2408 wrote to memory of 1804	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	36
PID 2408 wrote to memory of 1804	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	36
PID 2408 wrote to memory of 2040	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	37
PID 2408 wrote to memory of 2040	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	37
PID 2408 wrote to memory of 2040	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	37
PID 2408 wrote to memory of 2020	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	38
PID 2408 wrote to memory of 2020	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	38
PID 2408 wrote to memory of 2020	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	38
PID 2408 wrote to memory of 2316	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	39
PID 2408 wrote to memory of 2316	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	39
PID 2408 wrote to memory of 2316	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	39
PID 2408 wrote to memory of 2016	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	40
PID 2408 wrote to memory of 2016	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	40
PID 2408 wrote to memory of 2016	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	40
PID 2408 wrote to memory of 1744	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	41
PID 2408 wrote to memory of 1744	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	41
PID 2408 wrote to memory of 1744	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	41
PID 2408 wrote to memory of 772	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	42
PID 2408 wrote to memory of 772	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	42
PID 2408 wrote to memory of 772	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	42
PID 2408 wrote to memory of 1276	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	43
PID 2408 wrote to memory of 1276	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	43
PID 2408 wrote to memory of 1276	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	43
PID 2408 wrote to memory of 1988	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	52
PID 2408 wrote to memory of 1988	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	52
PID 2408 wrote to memory of 1988	2408	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	52
PID 1988 wrote to memory of 3028	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	60
PID 1988 wrote to memory of 3028	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	60
PID 1988 wrote to memory of 3028	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	60
PID 1988 wrote to memory of 1760	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	61
PID 1988 wrote to memory of 1760	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	61
PID 1988 wrote to memory of 1760	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	61
PID 1988 wrote to memory of 2640	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	62
PID 1988 wrote to memory of 2640	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	62
PID 1988 wrote to memory of 2640	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	62
PID 1988 wrote to memory of 2740	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	64
PID 1988 wrote to memory of 2740	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	64
PID 1988 wrote to memory of 2740	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	64
PID 1988 wrote to memory of 2620	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	66
PID 1988 wrote to memory of 2620	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	66
PID 1988 wrote to memory of 2620	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	66
PID 1988 wrote to memory of 2736	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	67
PID 1988 wrote to memory of 2736	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	67
PID 1988 wrote to memory of 2736	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	67
PID 1988 wrote to memory of 1928	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	68
PID 1988 wrote to memory of 1928	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	68
PID 1988 wrote to memory of 1928	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	68
PID 1988 wrote to memory of 2712	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	69
PID 1988 wrote to memory of 2712	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	69
PID 1988 wrote to memory of 2712	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	69
PID 1988 wrote to memory of 2760	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	73
PID 1988 wrote to memory of 2760	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	73
PID 1988 wrote to memory of 2760	1988	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	73
PID 2760 wrote to memory of 1980	2760	cmd.exe	78
PID 2760 wrote to memory of 1980	2760	cmd.exe	78
PID 2760 wrote to memory of 1980	2760	cmd.exe	78
PID 2760 wrote to memory of 2032	2760	cmd.exe	79
PID 2760 wrote to memory of 2032	2760	cmd.exe	79
PID 2760 wrote to memory of 2032	2760	cmd.exe	79
PID 2032 wrote to memory of 1516	2032	wininit.exe	80
PID 2032 wrote to memory of 1516	2032	wininit.exe	80
PID 2032 wrote to memory of 1516	2032	wininit.exe	80
PID 2032 wrote to memory of 2328	2032	wininit.exe	81

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
"C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DeviceDisplayObjectProvider\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E4E\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wship6\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsLexicons0414\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
  "C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sppcext\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PeerDistSvc\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\wmipicmp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\secrcw32\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LboswBIu8H.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1980
  - - C:\Users\Default\SendTo\wininit.exe
      "C:\Users\Default\SendTo\wininit.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11e8fb7b-1391-472e-9eac-864ee1470782.vbs"
        5⤵
        
        PID:1516
      - C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d531bbf1-0650-4418-8194-e6b978fc3cb2.vbs"
        7⤵
        
        PID:568
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af62cb4-8262-4cb5-bfdc-a756e1d0bea7.vbs"
        9⤵
        
        PID:2496
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6caf9a43-bcf3-4d2f-a5fd-48f837d7669c.vbs"
        11⤵
        
        PID:2852
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbbd2c42-1862-467b-99eb-5d6073eabbb4.vbs"
        13⤵
        
        PID:2076
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecc6b8f5-6fce-4e0b-8aa3-310d532a8e63.vbs"
        15⤵
        
        PID:1276
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf26a0ca-07c0-46ad-96ff-99c86a5b014e.vbs"
        17⤵
        
        PID:1872
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b05d9bc9-4b75-4c9d-b6d4-30f69521824a.vbs"
        19⤵
        
        PID:1676
        
        C:\Users\Default\SendTo\wininit.exe
        
        C:\Users\Default\SendTo\wininit.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\288524da-93c0-4efc-a70a-aa047fc342c4.vbs"
        21⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16a84d99-5981-45a7-b6a7-81375700ac3d.vbs"
        21⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85a1cce6-ad04-4617-80dc-3693e7339023.vbs"
        19⤵
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3320c2d7-d7da-4c86-b366-bd0c04136d1d.vbs"
        17⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaee9e95-3b71-4da3-9114-2c604afc6966.vbs"
        15⤵
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c9986e-e513-46ed-9bf0-d6c632437327.vbs"
        13⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9484299-f922-4563-8f32-e6b794f9d8f5.vbs"
        11⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eda417b-dd8a-4219-a293-03a8e3b95957.vbs"
        9⤵
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6705b22-4aa5-40b9-8e4e-c9d59aa5669a.vbs"
        7⤵
        
        PID:2576
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba0bb501-9a12-4267-99d4-3014f0625723.vbs"
        5⤵
        
        PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\DeviceDisplayObjectProvider\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ProgramData\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E4E\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\wship6\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7" /sc ONLOGON /tr "'C:\ProgramData\Templates\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0414\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\sppcext\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\PeerDistSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wmipicmp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\secrcw32\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11e8fb7b-1391-472e-9eac-864ee1470782.vbs

Filesize
711B

MD5
ba9287e9496e14f22e6cbcc195808925

SHA1
f083dbdc71a2496f53152db10a72be3d506da6cb

SHA256
4fd1fd33c3ba47c352529d600bc861f652ffaaffbabec5f78b284d5ec3d291b6

SHA512
13673eae60537dbf2082ebe18757f7957b9bc7ef2bb86118902f6112bdea3f2cd34ef59c0d431188601104a36197929cbba8350f3a581cb07e3f4f06d68e331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\288524da-93c0-4efc-a70a-aa047fc342c4.vbs

Filesize
711B

MD5
2fb41a511dc69c48acf75b1e62b03980

SHA1
aeed8a550e7133eaa7c8dd3c20597b1276185947

SHA256
fedb98458f3424c20efad488a8835ca866281b08a58272582b884cedcc460172

SHA512
ae429b5e40ae4bdbc503eb705f8bc1d4fe7f478a0c2aad19f595af9abee93fde3e49a653cbc40441213ce203283bc16b151237b873dfea4277a090e38eb02ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6caf9a43-bcf3-4d2f-a5fd-48f837d7669c.vbs

Filesize
710B

MD5
198e7c54a69c5a63c563a14ae363dcb1

SHA1
89d9778c6ad1547154a50de05fb718bc0e48effe

SHA256
25dbace8d45934f11c0ab7a67e74a66458d762f28a30a966831850ed7c659e6c

SHA512
cf481162ad20227e392c5d855030b9ead2174505357c077a6ec53ec2a12ad73c20eab300c8afcfe427a2c141f4f87d44bfbb42108f283c9427e8a1df0e7f7acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8af62cb4-8262-4cb5-bfdc-a756e1d0bea7.vbs

Filesize
711B

MD5
ee85faa7821100ec46813448af7a16b6

SHA1
01ebcd5b27e9fa4d52921528cdae17c3f1a5ca02

SHA256
9aabae0209cd036c9bc035f84f16c9b2b5526ffc375d959b2cf306667026cc5a

SHA512
8ee615a6d284c18014528f5afe380e7520ae377e7f35e111d15c5a504c9a0b8d0b6b30819fbe07474863eb9d6982651ad945d47e4130c98801c13bf088aa10ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\LboswBIu8H.bat

Filesize
199B

MD5
6d114debc332de00cbb71c2031414adb

SHA1
5e390a3df480f7e5ddc3ce92bf6d104fcddb5bd9

SHA256
61b73649e466c8d088c2f740067595fc0641526b53163b37ab68539ce1b6a515

SHA512
840643703445ade06b3464eaf2d4e778768c97bd5b0ace7d5ed22f141d6781ede782beaa2b55b474daff7d797c3ca4a73439bca5c7febfc4273e3cedecf9b6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b05d9bc9-4b75-4c9d-b6d4-30f69521824a.vbs

Filesize
711B

MD5
50f057550bed1ea27a39777adde8ee39

SHA1
e81dcd364895db461022c7db71cef677ab683fd0

SHA256
0055ae087c327304d309ea36fc7d04d2fdef14686b95656a4a31ab3c7a551ccc

SHA512
7134f72314912bcfb1c51e15a308c2c3d517ea71c2b21c1b12f7d3dffb8436d4f89fb0039b7ee6c56937c4b19ffd80268ea92ed81580a00f7e715c1838f15832

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba0bb501-9a12-4267-99d4-3014f0625723.vbs

Filesize
487B

MD5
878b791a416034df06906219115b8be6

SHA1
9bf0c582e13c6f2d97b3bfb54cf443f6cd1c5255

SHA256
84ff307b86b4c90c538c91b313dc12b6c1787c8cc0c75ac05729242c59987e4e

SHA512
4725240f8117085e3a9482e2a056aac4591ac8df31e158ef38f9cccf774dd44bae98030b7a828b0ab8184b57633165200135c538daea78b83bfd2d8b1f65ca63

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbbd2c42-1862-467b-99eb-5d6073eabbb4.vbs

Filesize
711B

MD5
72eef836539c288fe61f20c9d9281ef3

SHA1
7b01924481a43222edfdb396622d600897ff9e89

SHA256
ae024061f771d59e9d1e673d1c7ed54bce62cf4d0639b37f2f397f3ee8e910fa

SHA512
24bcfafc1981fabf1af06bb969096277e8cf80fcd6afcc5c83d9ba5ca354820e8f59efff1cc200071641eac8cf1cde8689067d44ef6b0e02be282c6af02bc283

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf26a0ca-07c0-46ad-96ff-99c86a5b014e.vbs

Filesize
711B

MD5
5c0df8f68203b4257c8316bc916a766d

SHA1
26af6e1628a87e03a866f90daf3cbec7e489cdd4

SHA256
91d804eeaad13aee72d7c6d4b6616dd2440cc952bb7e8d6a04fabb705c6e8fa9

SHA512
969a796e1845df791d37901d19729ab5a53bd8e952ef9162603f17ed3a3f74bb3cf86aab0bd7e85e6fa9d6ed8684665200535f4b9df39da5a331dad2c2c25b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d531bbf1-0650-4418-8194-e6b978fc3cb2.vbs

Filesize
711B

MD5
041f267ae8cd7033f3785e0e9d81c59b

SHA1
cd58aaf791eed4c1d89ec26a2dfe8932d429f934

SHA256
279776d258f199aedf99d8a37b4cabb9fdccf724853e8756dad499a634ba0c9d

SHA512
287c3358cf814189b761815381600391b5dbf8e134c7d59a482eb9c9110682b3d14b5b375ae740dd3ef8a1d460455786d7535abf8b5947a2043383439a17e422

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecc6b8f5-6fce-4e0b-8aa3-310d532a8e63.vbs

Filesize
711B

MD5
9bbb14d49d0f17284d72aebfeaaa6442

SHA1
9d56707f046982b47ee945b7ebfea1c8951e8fe7

SHA256
ccf17781489f4cde5bc979166263df6aeb88b575243620a992e8049ef3217494

SHA512
ef0710d4539dc6910f6d560f8f3cebb56dc4f415e672339760dae82829ee06926711d3e2a3367ed0a5ad7406d9c95caa7b5ea0911907973a7cf63b189372c94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
616B

MD5
b30ac40f5099351c46a7f7c87c37b7c3

SHA1
86f8c30f59c398e07386e165bd7b63d90313c926

SHA256
cc24ac8d32f9bad82558e22436a585f26c578f7a79d6e734d60cf569a038e60c

SHA512
71ca2abfb8f22980885a129a3e81c1f397cb29e6904e81b4a8251f6304097bd83283e5db66c80ce138f3945fc35c5ae6a28d8af1191082858c8977849ca1fe5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07208e481da967475936d55540f179ec

SHA1
8078d5760514c012612a02f2b05ab76b136fe46e

SHA256
845733fc7f38bed5b3681d1527a360c64b2c78ddf22f777fb2cc905919b4bd9e

SHA512
62105be56dafc55e74e3d04b58fe942a7b8ab6a31fb115039d455ebbfe085bff370877b2d64818b9cd15b993e91f6bb2d5f2dc274ea9bf40e946c53b0929aed9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
999e713b7f81a593a0dd2549c50eb2c5

SHA1
055f3945d8df4af8d776366163c96ee442c6c5a5

SHA256
d7c6be35cbeea01e861eeb5e9389196f605a28d8ab5dba0ea1793ca0e5b70526

SHA512
a87bd35acee9e0dce6eb528fe0484b6771047e229679f8183e272adf2543c1725edd4176a9d6d01fd26b5c212087d3eacfa3944839bbf3ecb6c6ab48db02a277

Download Submit
C:\Windows\System32\wship6\csrss.exe

Filesize
1.5MB

MD5
a5fab16bfd5f2f5b2beef03fc634c78b

SHA1
e2876e25315d4109734bd0ffa2e3d50db7550f5e

SHA256
26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

SHA512
a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894

Download Submit
memory/620-245-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1276-121-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1276-115-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1708-292-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1708-291-0x00000000002F0000-0x000000000046E000-memory.dmp

Filesize
1.5MB

Download
memory/1760-179-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1988-133-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2032-210-0x0000000000E40000-0x0000000000FBE000-memory.dmp

Filesize
1.5MB

Download
memory/2384-304-0x0000000000390000-0x000000000050E000-memory.dmp

Filesize
1.5MB

Download
memory/2408-13-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2408-4-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2408-3-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2408-18-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/2408-17-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2408-1-0x0000000000120000-0x000000000029E000-memory.dmp

Filesize
1.5MB

Download
memory/2408-16-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2408-15-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2408-120-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-24-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/2408-20-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2408-14-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2408-12-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2408-11-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2408-10-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2408-9-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2408-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2408-7-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2408-6-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2408-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-5-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2408-21-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2724-222-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2724-221-0x0000000001360000-0x00000000014DE000-memory.dmp

Filesize
1.5MB

Download
memory/2736-180-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/3020-279-0x00000000001B0000-0x000000000032E000-memory.dmp

Filesize
1.5MB

Download