dcrat | 37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

Analysis

max time kernel
147s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a026b442f5d5739ea3d8565f3a044d.exe
Size

2.6MB
MD5

97a026b442f5d5739ea3d8565f3a044d
SHA1

dd409fa09eede943173f5aed10542f378062dcb1
SHA256

37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72
SHA512

007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d
SSDEEP

49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 16 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		97a026b442f5d5739ea3d8565f3a044d.exe
		2904	schtasks.exe
		2672	schtasks.exe
		2404	schtasks.exe
		1028	schtasks.exe
		2028	schtasks.exe
		2628	schtasks.exe
		2976	schtasks.exe
		2780	schtasks.exe
		2732	schtasks.exe
		2052	schtasks.exe
		2956	schtasks.exe
		2804	schtasks.exe
		2876	schtasks.exe
		2612	schtasks.exe
		1108	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\Idle.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\csrss.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	580	schtasks.exe	30

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2292-1-0x0000000000B10000-0x0000000000DA8000-memory.dmp	dcrat
behavioral1/files/0x00050000000195c5-26.dat	dcrat
behavioral1/memory/2132-55-0x0000000000CF0000-0x0000000000F88000-memory.dmp	dcrat
behavioral1/memory/596-107-0x0000000001280000-0x0000000001518000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1776	powershell.exe
576	powershell.exe
2840	powershell.exe
2604	powershell.exe
2036	powershell.exe
3008	powershell.exe
2992	powershell.exe
1640	powershell.exe
1484	powershell.exe
2972	powershell.exe
2352	powershell.exe
1996	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2132	Idle.exe
596	Idle.exe
2712	Idle.exe
2200	Idle.exe
2876	Idle.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsass.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\csrss.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\Idle.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\Idle.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\csrss.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\lsass.exe\""	97a026b442f5d5739ea3d8565f3a044d.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97a026b442f5d5739ea3d8565f3a044d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\Idle.exe	97a026b442f5d5739ea3d8565f3a044d.exe
File created	C:\Program Files\Mozilla Firefox\fonts\6ccacd8608530f	97a026b442f5d5739ea3d8565f3a044d.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe	97a026b442f5d5739ea3d8565f3a044d.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\886983d96e3d3e	97a026b442f5d5739ea3d8565f3a044d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2904	schtasks.exe
2956	schtasks.exe
2876	schtasks.exe
2732	schtasks.exe
2612	schtasks.exe
2780	schtasks.exe
2628	schtasks.exe
2804	schtasks.exe
2052	schtasks.exe
2672	schtasks.exe
1028	schtasks.exe
1108	schtasks.exe
2976	schtasks.exe
2404	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2292	97a026b442f5d5739ea3d8565f3a044d.exe
2292	97a026b442f5d5739ea3d8565f3a044d.exe
2292	97a026b442f5d5739ea3d8565f3a044d.exe
2292	97a026b442f5d5739ea3d8565f3a044d.exe
2292	97a026b442f5d5739ea3d8565f3a044d.exe
1484	powershell.exe
2604	powershell.exe
3008	powershell.exe
1996	powershell.exe
2132	Idle.exe
2840	powershell.exe
2036	powershell.exe
1640	powershell.exe
576	powershell.exe
1776	powershell.exe
2972	powershell.exe
2992	powershell.exe
2352	powershell.exe
596	Idle.exe
2712	Idle.exe
2200	Idle.exe
2876	Idle.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	97a026b442f5d5739ea3d8565f3a044d.exe
Token: SeDebugPrivilege	2132	Idle.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	596	Idle.exe
Token: SeDebugPrivilege	2712	Idle.exe
Token: SeDebugPrivilege	2200	Idle.exe
Token: SeDebugPrivilege	2876	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2036	2292	97a026b442f5d5739ea3d8565f3a044d.exe	46
PID 2292 wrote to memory of 2036	2292	97a026b442f5d5739ea3d8565f3a044d.exe	46
PID 2292 wrote to memory of 2036	2292	97a026b442f5d5739ea3d8565f3a044d.exe	46
PID 2292 wrote to memory of 3008	2292	97a026b442f5d5739ea3d8565f3a044d.exe	47
PID 2292 wrote to memory of 3008	2292	97a026b442f5d5739ea3d8565f3a044d.exe	47
PID 2292 wrote to memory of 3008	2292	97a026b442f5d5739ea3d8565f3a044d.exe	47
PID 2292 wrote to memory of 1484	2292	97a026b442f5d5739ea3d8565f3a044d.exe	48
PID 2292 wrote to memory of 1484	2292	97a026b442f5d5739ea3d8565f3a044d.exe	48
PID 2292 wrote to memory of 1484	2292	97a026b442f5d5739ea3d8565f3a044d.exe	48
PID 2292 wrote to memory of 2972	2292	97a026b442f5d5739ea3d8565f3a044d.exe	49
PID 2292 wrote to memory of 2972	2292	97a026b442f5d5739ea3d8565f3a044d.exe	49
PID 2292 wrote to memory of 2972	2292	97a026b442f5d5739ea3d8565f3a044d.exe	49
PID 2292 wrote to memory of 2992	2292	97a026b442f5d5739ea3d8565f3a044d.exe	50
PID 2292 wrote to memory of 2992	2292	97a026b442f5d5739ea3d8565f3a044d.exe	50
PID 2292 wrote to memory of 2992	2292	97a026b442f5d5739ea3d8565f3a044d.exe	50
PID 2292 wrote to memory of 1640	2292	97a026b442f5d5739ea3d8565f3a044d.exe	51
PID 2292 wrote to memory of 1640	2292	97a026b442f5d5739ea3d8565f3a044d.exe	51
PID 2292 wrote to memory of 1640	2292	97a026b442f5d5739ea3d8565f3a044d.exe	51
PID 2292 wrote to memory of 2352	2292	97a026b442f5d5739ea3d8565f3a044d.exe	52
PID 2292 wrote to memory of 2352	2292	97a026b442f5d5739ea3d8565f3a044d.exe	52
PID 2292 wrote to memory of 2352	2292	97a026b442f5d5739ea3d8565f3a044d.exe	52
PID 2292 wrote to memory of 1776	2292	97a026b442f5d5739ea3d8565f3a044d.exe	53
PID 2292 wrote to memory of 1776	2292	97a026b442f5d5739ea3d8565f3a044d.exe	53
PID 2292 wrote to memory of 1776	2292	97a026b442f5d5739ea3d8565f3a044d.exe	53
PID 2292 wrote to memory of 576	2292	97a026b442f5d5739ea3d8565f3a044d.exe	54
PID 2292 wrote to memory of 576	2292	97a026b442f5d5739ea3d8565f3a044d.exe	54
PID 2292 wrote to memory of 576	2292	97a026b442f5d5739ea3d8565f3a044d.exe	54
PID 2292 wrote to memory of 2840	2292	97a026b442f5d5739ea3d8565f3a044d.exe	55
PID 2292 wrote to memory of 2840	2292	97a026b442f5d5739ea3d8565f3a044d.exe	55
PID 2292 wrote to memory of 2840	2292	97a026b442f5d5739ea3d8565f3a044d.exe	55
PID 2292 wrote to memory of 1996	2292	97a026b442f5d5739ea3d8565f3a044d.exe	56
PID 2292 wrote to memory of 1996	2292	97a026b442f5d5739ea3d8565f3a044d.exe	56
PID 2292 wrote to memory of 1996	2292	97a026b442f5d5739ea3d8565f3a044d.exe	56
PID 2292 wrote to memory of 2604	2292	97a026b442f5d5739ea3d8565f3a044d.exe	57
PID 2292 wrote to memory of 2604	2292	97a026b442f5d5739ea3d8565f3a044d.exe	57
PID 2292 wrote to memory of 2604	2292	97a026b442f5d5739ea3d8565f3a044d.exe	57
PID 2292 wrote to memory of 2132	2292	97a026b442f5d5739ea3d8565f3a044d.exe	70
PID 2292 wrote to memory of 2132	2292	97a026b442f5d5739ea3d8565f3a044d.exe	70
PID 2292 wrote to memory of 2132	2292	97a026b442f5d5739ea3d8565f3a044d.exe	70
PID 2132 wrote to memory of 2624	2132	Idle.exe	71
PID 2132 wrote to memory of 2624	2132	Idle.exe	71
PID 2132 wrote to memory of 2624	2132	Idle.exe	71
PID 2132 wrote to memory of 2644	2132	Idle.exe	72
PID 2132 wrote to memory of 2644	2132	Idle.exe	72
PID 2132 wrote to memory of 2644	2132	Idle.exe	72
PID 2624 wrote to memory of 596	2624	WScript.exe	74
PID 2624 wrote to memory of 596	2624	WScript.exe	74
PID 2624 wrote to memory of 596	2624	WScript.exe	74
PID 596 wrote to memory of 1184	596	Idle.exe	75
PID 596 wrote to memory of 1184	596	Idle.exe	75
PID 596 wrote to memory of 1184	596	Idle.exe	75
PID 596 wrote to memory of 2672	596	Idle.exe	76
PID 596 wrote to memory of 2672	596	Idle.exe	76
PID 596 wrote to memory of 2672	596	Idle.exe	76
PID 1184 wrote to memory of 2712	1184	WScript.exe	77
PID 1184 wrote to memory of 2712	1184	WScript.exe	77
PID 1184 wrote to memory of 2712	1184	WScript.exe	77
PID 2712 wrote to memory of 888	2712	Idle.exe	78
PID 2712 wrote to memory of 888	2712	Idle.exe	78
PID 2712 wrote to memory of 888	2712	Idle.exe	78
PID 2712 wrote to memory of 2916	2712	Idle.exe	79
PID 2712 wrote to memory of 2916	2712	Idle.exe	79
PID 2712 wrote to memory of 2916	2712	Idle.exe	79
PID 888 wrote to memory of 2200	888	WScript.exe	80

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97a026b442f5d5739ea3d8565f3a044d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97a026b442f5d5739ea3d8565f3a044d.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97a026b442f5d5739ea3d8565f3a044d.exe
"C:\Users\Admin\AppData\Local\Temp\97a026b442f5d5739ea3d8565f3a044d.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Program Files\Mozilla Firefox\fonts\Idle.exe
  "C:\Program Files\Mozilla Firefox\fonts\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0e7bf88-5339-456a-b10d-b3e1c5708c96.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files\Mozilla Firefox\fonts\Idle.exe
      "C:\Program Files\Mozilla Firefox\fonts\Idle.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:596
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e78bbf9-2af6-457d-8c63-8837c75e8e5e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Program Files\Mozilla Firefox\fonts\Idle.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\Idle.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c1e59c4-d32d-4f9d-bcb0-6f8d4fe5a703.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Program Files\Mozilla Firefox\fonts\Idle.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\Idle.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e745470-0928-401f-b5b3-10816160acf6.vbs"
        9⤵
        
        PID:2196
        
        C:\Program Files\Mozilla Firefox\fonts\Idle.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\Idle.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697556ca-14bb-4b28-bee0-086a8e0a67c2.vbs"
        11⤵
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7e485bb-aaa9-40b4-97b2-be6dd2ea759a.vbs"
        11⤵
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee51ed6-4fe4-4393-bea9-3364b3b71745.vbs"
        9⤵
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7607a74b-1a64-4afc-bf13-e22a91b22881.vbs"
        7⤵
        
        PID:2916
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58ceaa75-47c3-4732-b65a-a4a725ef9856.vbs"
        5⤵
        
        PID:2672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37bdb456-a52c-4eb9-851a-72a61fd70ef7.vbs"
    3⤵
    PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe

Filesize
2.6MB

MD5
97a026b442f5d5739ea3d8565f3a044d

SHA1
dd409fa09eede943173f5aed10542f378062dcb1

SHA256
37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

SHA512
007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e745470-0928-401f-b5b3-10816160acf6.vbs

Filesize
723B

MD5
9a9bdd4426136b2a86a54697c24b704c

SHA1
fb2fe17b0d48ffffc9bfadb2d88623540210863d

SHA256
9e1bd0ca7bcf8d6a7f5dd3b7234fed03e35e874936f20a80c758f165d491b842

SHA512
a0ee7da82cd28b797b007abaaf6d3b5e5e5e6494617665f6e3c28799df526e340e05a96408a2d936c75dfdeb65da77bd07bd37503b32f9c51a96997df21c1d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\37bdb456-a52c-4eb9-851a-72a61fd70ef7.vbs

Filesize
499B

MD5
016ff1046e473cce357753cc2c83216e

SHA1
76e97cc541a2468e99679943d4dfbffa4ee1782a

SHA256
1639399e82760bae6b5ac86bd9b9753fa953bdb0a461111636131713bc1faae0

SHA512
9197394017c0a22d78edf2a4eef985f4aa9401e1095b3a2e704cd82b0c6be1d220e8a20e519b5cbd271884dec5729d3a38af6d5f5d4c997116672f4875f5c120

Download Submit
C:\Users\Admin\AppData\Local\Temp\697556ca-14bb-4b28-bee0-086a8e0a67c2.vbs

Filesize
723B

MD5
d7981a2df0e6b86219dbdf0365881da8

SHA1
30f71f878a7a8c30ec1d0b2112f39a8f633277cd

SHA256
575af147c7b001e16da9e85b572e0f63a3497af1ca3ad2fdaaa9379135775013

SHA512
be74ade50b2c60f642ea03301b118d8eda54c2065a3d937384c7231f14af040296bb2b27e8210a030fa08f8ca3ecbca6d56df18722daf55c5f6d872498696201

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e78bbf9-2af6-457d-8c63-8837c75e8e5e.vbs

Filesize
722B

MD5
e68017dce60473527701c5eadbc846e5

SHA1
223ca8d0b2bf1282e6fc88596a1537a4cb2dc2ff

SHA256
f384092d033f5b6521f494e566d6d2eda1377014468d374b351029a1af39f09a

SHA512
aba79696faa4452b0addc907d2b705d26d38b50b3de3e4fcec668272c268f5594b0e649be76043b9a66224057573486d6fbb10f38a30b21ef72128be3cf5f2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c1e59c4-d32d-4f9d-bcb0-6f8d4fe5a703.vbs

Filesize
723B

MD5
c42f167897b2f9b29e2dac161504bbb5

SHA1
fde06ab98addef98c45d2be34e9938dedda7f46e

SHA256
b88f1296e5b6df1571ea443b0cc412aa037b60651c71323b79c6a4064f3cfb8d

SHA512
f49c535569a6a61a62ed680bc7e9bf1228a58cfa53d4f64565853cea6c5fdf4b325d94aa8b8333c0f3868e5d9a1905e66154c2be4853b7ff28250243886138df

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0e7bf88-5339-456a-b10d-b3e1c5708c96.vbs

Filesize
723B

MD5
083e56eefadd800f11f14e338de8c6b8

SHA1
2895ee16a006ee12675425d4297938ce42c08097

SHA256
fa776f2e94286dd94d6a234f273711fb79df41b45e288059038c140ef5967691

SHA512
e3ef6ec457099a784722a25c19101f1d62e996f2fdd5e56249aa1c20026ee78c5401bffa565d7ebf1b0db06a98123a06802bc997dcdd9b832628ee5b218fd28f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d5f81f5ca5da6438ac74bea501d47f8b

SHA1
2296428b142fefed3c064b36e49fbdcf8e41c49d

SHA256
ac5a61e9df60f39e7660662f758db9de88ed814413d5c35dcd5c2ef998b2feac

SHA512
97cc921b3115397e4ddd95cb53ab81101d7a6a83b1b3d4df74c076c944ca2c5e4ca3bda6c893fd772b9428d1ddbc6ad258337232926d7d04aa1e505cda0efc21

Download Submit
memory/596-108-0x0000000000D20000-0x0000000000D76000-memory.dmp

Filesize
344KB

Download
memory/596-107-0x0000000001280000-0x0000000001518000-memory.dmp

Filesize
2.6MB

Download
memory/1484-95-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2132-55-0x0000000000CF0000-0x0000000000F88000-memory.dmp

Filesize
2.6MB

Download
memory/2292-8-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/2292-4-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2292-12-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2292-15-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/2292-16-0x000000001AE50000-0x000000001AE5A000-memory.dmp

Filesize
40KB

Download
memory/2292-17-0x000000001AE60000-0x000000001AE6C000-memory.dmp

Filesize
48KB

Download
memory/2292-14-0x00000000021F0000-0x00000000021FE000-memory.dmp

Filesize
56KB

Download
memory/2292-32-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-11-0x000000001AE00000-0x000000001AE56000-memory.dmp

Filesize
344KB

Download
memory/2292-10-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2292-9-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2292-1-0x0000000000B10000-0x0000000000DA8000-memory.dmp

Filesize
2.6MB

Download
memory/2292-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2292-6-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/2292-5-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2292-13-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/2292-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2604-96-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2712-120-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download