dcrat | 0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

3.7MB
MD5

072756d824448388227ca413cf9b30fb
SHA1

3774a14ae84e955c57a35f82da833d46cea22ed3
SHA256

0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a
SHA512

2a3953faddf9b6037a0a34499ac11011e4c22d931ba9e4ab174b0ebd7e1c1bade9546a6b970f6280402905159b42bcdc60c92a91e8dd39cd9ff14ddf73638a4d
SSDEEP

98304:yQpUIa1ishqq/x4XR09rQVkREwySMEX+y:xpUIa0KFl9rnRHPZXF

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\SKB\\upfc.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\SKB\\upfc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\dwm.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\SKB\\upfc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\SKB\\upfc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\upfc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\Registry.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\dwm.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\spoolsv.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\dwm.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\SKB\\upfc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\dwm.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\comdll\\RuntimeBroker.exe\""	reviewdll.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	216	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	216	schtasks.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2632	powershell.exe
4276	powershell.exe
2896	powershell.exe
2232	powershell.exe
3716	powershell.exe
4524	powershell.exe
2036	powershell.exe
4748	powershell.exe
3472	powershell.exe
2948	powershell.exe
1732	powershell.exe
3896	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	reviewdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	reviewdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	PvuKmrV6lX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	reviewdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 5 IoCs

pid	Process
3816	reviewdll.exe
3184	reviewdll.exe
540	PvuKmrV6lX.exe
1732	reviewdll.exe
2956	csrss.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewdll = "\"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewdll = "\"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Windows Mail\\Registry.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\spoolsv.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\SKB\\upfc.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Windows Mail\\Registry.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\spoolsv.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Common Files\\microsoft shared\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\Idle.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\comdll\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\dwm.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\SKB\\upfc.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Media Player\\lsass.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Media Player\\lsass.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewdll = "\"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\comdll\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\dwm.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewdll = "\"C:\\comdll\\reviewdll.exe\""	reviewdll.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6FEAB0EBD5314CB9BDAB197DE6C13BB.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe
File created	\??\c:\Windows\System32\CSCEBD1E63B6F2E4D4CA616B36C255C56B.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\lsass.exe	reviewdll.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6cb0b6c459d5d3	reviewdll.exe
File created	C:\Program Files\Windows Mail\Registry.exe	reviewdll.exe
File created	C:\Program Files\Windows Mail\ee2ad38f3d4382	reviewdll.exe
File created	C:\Program Files\Common Files\microsoft shared\9e8d7a4ca61bd9	reviewdll.exe
File created	C:\Program Files\Windows Media Player\6203df4a6bafc7	reviewdll.exe
File created	C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe	reviewdll.exe
File created	C:\Program Files\Internet Explorer\ja-JP\f3b6ecef712a24	reviewdll.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	reviewdll.exe
File created	C:\Program Files\Common Files\microsoft shared\RuntimeBroker.exe	reviewdll.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe	reviewdll.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\6ccacd8608530f	reviewdll.exe
File created	C:\Windows\SKB\upfc.exe	reviewdll.exe
File created	C:\Windows\SKB\ea1d8f6d871115	reviewdll.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe	reviewdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PvuKmrV6lX.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1220	PING.EXE
4928	PING.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	reviewdll.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	reviewdll.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	PvuKmrV6lX.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	reviewdll.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
212	reg.exe
2632	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4928	PING.EXE
1220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
916	schtasks.exe
3676	schtasks.exe
2728	schtasks.exe
3964	schtasks.exe
3992	schtasks.exe
336	schtasks.exe
4988	schtasks.exe
1680	schtasks.exe
1868	schtasks.exe
3272	schtasks.exe
2072	schtasks.exe
4192	schtasks.exe
532	schtasks.exe
1228	schtasks.exe
2172	schtasks.exe
4068	schtasks.exe
1996	schtasks.exe
3172	schtasks.exe
1924	schtasks.exe
3664	schtasks.exe
4020	schtasks.exe
4912	schtasks.exe
212	schtasks.exe
860	schtasks.exe
1204	schtasks.exe
1780	schtasks.exe
2620	schtasks.exe
2016	schtasks.exe
4720	schtasks.exe
1128	schtasks.exe
4176	schtasks.exe
4548	schtasks.exe
3308	schtasks.exe
3168	schtasks.exe
4432	schtasks.exe
4928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe
3816	reviewdll.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	reviewdll.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3184	reviewdll.exe
Token: SeDebugPrivilege	1732	reviewdll.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	2956	csrss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3184	reviewdll.exe
2956	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 1880	4520	DCRatBuild.exe	84
PID 4520 wrote to memory of 1880	4520	DCRatBuild.exe	84
PID 4520 wrote to memory of 1880	4520	DCRatBuild.exe	84
PID 1880 wrote to memory of 4020	1880	WScript.exe	85
PID 1880 wrote to memory of 4020	1880	WScript.exe	85
PID 1880 wrote to memory of 4020	1880	WScript.exe	85
PID 4020 wrote to memory of 212	4020	cmd.exe	87
PID 4020 wrote to memory of 212	4020	cmd.exe	87
PID 4020 wrote to memory of 212	4020	cmd.exe	87
PID 4020 wrote to memory of 3816	4020	cmd.exe	88
PID 4020 wrote to memory of 3816	4020	cmd.exe	88
PID 3816 wrote to memory of 3716	3816	reviewdll.exe	93
PID 3816 wrote to memory of 3716	3816	reviewdll.exe	93
PID 3716 wrote to memory of 1496	3716	csc.exe	95
PID 3716 wrote to memory of 1496	3716	csc.exe	95
PID 3816 wrote to memory of 2632	3816	reviewdll.exe	111
PID 3816 wrote to memory of 2632	3816	reviewdll.exe	111
PID 3816 wrote to memory of 4748	3816	reviewdll.exe	112
PID 3816 wrote to memory of 4748	3816	reviewdll.exe	112
PID 3816 wrote to memory of 1732	3816	reviewdll.exe	113
PID 3816 wrote to memory of 1732	3816	reviewdll.exe	113
PID 3816 wrote to memory of 2036	3816	reviewdll.exe	114
PID 3816 wrote to memory of 2036	3816	reviewdll.exe	114
PID 3816 wrote to memory of 3896	3816	reviewdll.exe	115
PID 3816 wrote to memory of 3896	3816	reviewdll.exe	115
PID 3816 wrote to memory of 4524	3816	reviewdll.exe	116
PID 3816 wrote to memory of 4524	3816	reviewdll.exe	116
PID 3816 wrote to memory of 1876	3816	reviewdll.exe	123
PID 3816 wrote to memory of 1876	3816	reviewdll.exe	123
PID 1876 wrote to memory of 2688	1876	cmd.exe	125
PID 1876 wrote to memory of 2688	1876	cmd.exe	125
PID 1876 wrote to memory of 1868	1876	cmd.exe	126
PID 1876 wrote to memory of 1868	1876	cmd.exe	126
PID 1876 wrote to memory of 3184	1876	cmd.exe	130
PID 1876 wrote to memory of 3184	1876	cmd.exe	130
PID 3184 wrote to memory of 3396	3184	reviewdll.exe	146
PID 3184 wrote to memory of 3396	3184	reviewdll.exe	146
PID 3396 wrote to memory of 456	3396	cmd.exe	148
PID 3396 wrote to memory of 456	3396	cmd.exe	148
PID 3396 wrote to memory of 1220	3396	cmd.exe	149
PID 3396 wrote to memory of 1220	3396	cmd.exe	149
PID 3396 wrote to memory of 540	3396	cmd.exe	150
PID 3396 wrote to memory of 540	3396	cmd.exe	150
PID 3396 wrote to memory of 540	3396	cmd.exe	150
PID 540 wrote to memory of 5004	540	PvuKmrV6lX.exe	151
PID 540 wrote to memory of 5004	540	PvuKmrV6lX.exe	151
PID 540 wrote to memory of 5004	540	PvuKmrV6lX.exe	151
PID 5004 wrote to memory of 940	5004	WScript.exe	153
PID 5004 wrote to memory of 940	5004	WScript.exe	153
PID 5004 wrote to memory of 940	5004	WScript.exe	153
PID 940 wrote to memory of 2632	940	cmd.exe	155
PID 940 wrote to memory of 2632	940	cmd.exe	155
PID 940 wrote to memory of 2632	940	cmd.exe	155
PID 940 wrote to memory of 1732	940	cmd.exe	156
PID 940 wrote to memory of 1732	940	cmd.exe	156
PID 1732 wrote to memory of 3700	1732	reviewdll.exe	160
PID 1732 wrote to memory of 3700	1732	reviewdll.exe	160
PID 3700 wrote to memory of 4432	3700	csc.exe	162
PID 3700 wrote to memory of 4432	3700	csc.exe	162
PID 1732 wrote to memory of 4276	1732	reviewdll.exe	178
PID 1732 wrote to memory of 4276	1732	reviewdll.exe	178
PID 1732 wrote to memory of 2896	1732	reviewdll.exe	179
PID 1732 wrote to memory of 2896	1732	reviewdll.exe	179
PID 1732 wrote to memory of 2948	1732	reviewdll.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:212
  - - C:\comdll\reviewdll.exe
      "C:\comdll/reviewdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\taotpnag\taotpnag.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A3E.tmp" "c:\Windows\System32\CSC6FEAB0EBD5314CB9BDAB197DE6C13BB.TMP"
        6⤵
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\reviewdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gbxtWhUzb5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2688
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1868
      - C:\comdll\reviewdll.exe
        
        "C:\comdll\reviewdll.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C6fd2m15ZL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\PvuKmrV6lX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\PvuKmrV6lX.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2632
        
        C:\comdll\reviewdll.exe
        
        "C:\comdll/reviewdll.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w1r5lzrd\w1r5lzrd.cmdline"
        12⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF57C.tmp" "c:\Windows\System32\CSCEBD1E63B6F2E4D4CA616B36C255C56B.TMP"
        13⤵
        
        PID:4432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\RuntimeBroker.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\Registry.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\reviewdll.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nqfv53aDl1.bat"
        12⤵
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\SKB\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 8 /tr "'C:\comdll\reviewdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdll" /sc ONLOGON /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 14 /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "smss" /f
1⤵
- Process spawned unexpected child process
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "smsss" /f
1⤵
- Process spawned unexpected child process
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfc" /f
1⤵
- Process spawned unexpected child process
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfcu" /f
1⤵
- Process spawned unexpected child process
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
- Process spawned unexpected child process
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
- Process spawned unexpected child process
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewdll" /f
1⤵
- Process spawned unexpected child process
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewdllr" /f
1⤵
- Process spawned unexpected child process
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\comdll\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comdll\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\comdll\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 9 /tr "'C:\comdll\reviewdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdll" /sc ONLOGON /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 7 /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\9e8d7a4ca61bd9

Filesize
964B

MD5
4878297dbc3c3b4fe1be137ff0c87954

SHA1
f2a892e70729c3b9fdb4dc9e6771a5bb0356f414

SHA256
040ed2f04fe575ceca14d35e57539821188d6ec276c0413e4866e847a1464128

SHA512
729d443d7ceef0522380f696750acecb0abbee850ca7f67bc0791fb5e311612464b0554def098d5b66fb888c7d27f1c1b48ef8931c1ef31723ecbd068fec3bcd

Download Submit
C:\Program Files\Windows Media Player\6203df4a6bafc7

Filesize
343B

MD5
0b1fe608579edf4714654e2ce19495db

SHA1
c033992915b90e4ef3fc77967c84cbf04f3c944c

SHA256
8ec5dacd7f5243dd087ecab122fcbf354047820cc8f7e6ad9c83232a8b40f929

SHA512
dc96868582dab5d5611b0f45901bce5635fcb7a9cbef9da2ca4d3be3bb9148cf25fd7d818f012425982a2964d8da72127a2331b005e4e517da592ebc8b42678b

Download Submit
C:\Recovery\WindowsRE\69ddcba757bf72

Filesize
98B

MD5
8bf5096b9451cdfed78cd033ba4d9763

SHA1
ba04258a739bc32c557f9c5c18c682a9c48fd7a9

SHA256
741695b71f13fa964d059df2e77897c1e11177a145cf1d72c50dd20a1ec98242

SHA512
ac93fbe7309bac341cab5c93c15b2845ffacdf4c22913d50d113d5c97b02e8a574480eafe20466b03880b13a37e9c4fac7cb68e3ea18f5f2286b2ffa68b47c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewdll.exe.log

Filesize
1KB

MD5
e54e1c1280ad00de4d4c9459bb779bf3

SHA1
4416134d95c6219450063e0f9b9dbf296e880242

SHA256
53c278a43ff7d45585a3d9b16445eb70d8e0c6be1a6eab68267d61e8ac542d91

SHA512
0dadc0330db8f957e4f488fce25ca96794ebeda371b9744a7e89ded59f965207511f64ac9af8df3d372724cedb85d928df9551492e47c3dbcaccc06dda5a8a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
232B

MD5
85ff326e9d3af4ac7cace8d6e5d1057b

SHA1
fa30f5a77fe80edcad7e995e3e831e983ec8025f

SHA256
1d9ab040261e4e54d10d872533cd2eeee0ee3fbbce219e17e35b107151855838

SHA512
b9652fdb8b1ee469eaa901f2f76d35aa90f25f1589b6886c8f73822c44bc63ca89ea4d3472cacc6141a667a41603de81959a299e3dc8ec3e995bf5749ac37c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6fd2m15ZL.bat

Filesize
258B

MD5
6aaa889561b6ed90c9cb380e3c0f3d14

SHA1
e56955d96d351f31b48956944be64ae609c12e6b

SHA256
83d9b93d6e0ec376b277debf76d8bc4f590346e517c122de8c9761b71d13eec2

SHA512
8790bccd2bb04958e73ae08fbdd2eba10e65f1df9a3a9e7d8dba9fd77f7ad5418db78e3189f3eadf40fd07511d95726b88a94b25aab5a806817e70aff3760869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nqfv53aDl1.bat

Filesize
159B

MD5
e17d2fb1d0c1bf400e407c25565962ab

SHA1
ef1f340f6a3657b40b61163461e5d37c92c76c6c

SHA256
d7597b2a6571688cb1ab9ac570fd75d5149163e4c3f72b519d6981fa3abe2a9b

SHA512
6d4eb75cfc8d1ac8ed30d656174d78b479c846c7a398c0534f54855528f7163d98fe74729679fbe16121dfe8a1454a5b2a0e010e2833238237ab21e984cee49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvuKmrV6lX.exe

Filesize
3.7MB

MD5
072756d824448388227ca413cf9b30fb

SHA1
3774a14ae84e955c57a35f82da833d46cea22ed3

SHA256
0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a

SHA512
2a3953faddf9b6037a0a34499ac11011e4c22d931ba9e4ab174b0ebd7e1c1bade9546a6b970f6280402905159b42bcdc60c92a91e8dd39cd9ff14ddf73638a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A3E.tmp

Filesize
1KB

MD5
fc6d49b671e09e4ddf39493d7b029340

SHA1
819e071f671e5b1e6d9b8c53cda4091b39d39fae

SHA256
5d6a0a02f151b253d8afc398a962441fbe51d73999325160d219b6abd454142e

SHA512
1b5b290ea282e50a48b7b6dbc36c4379d63f77d4da4222a5791215fd910b58230c8007522dd6b9fcba12c6159262d3ce82be9879cad45f90c54dc636cb7fdd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF57C.tmp

Filesize
1KB

MD5
9d521b309a81be344ab632e395180d44

SHA1
ac547bc887f572552e07947b88bbaa75d8edb488

SHA256
c2d2641ef341ef152e9119fe8393fe0e578197a74ab2d6f6d894f880ec425c1d

SHA512
1f06b686cba49f835155b622bf8e5c02da3c6849c4fc01dc2d099326ac21af0525abab6facfd590b20396f78d885da37acf5b7eaaeb8bb0795cdd6f84ec77894

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apd4sjuq.zni.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbxtWhUzb5.bat

Filesize
199B

MD5
3d7765f158136595003f53235661a7c5

SHA1
7db0295bf4397e7d5c95174c77c65362722c5f7b

SHA256
59a24facf5c35b36d87d286ba3270b911b658e557fc0a9b95c17a978b643905f

SHA512
acfd08daf2b645a6149a667d96dd650517ff5308f9b928fc176af5dffbfc864a310124fed2ebd29cb86f1f3fd201b5f0b406937c0a0c4cda98bdbdb660badbf1

Download Submit
C:\Windows\SKB\ea1d8f6d871115

Filesize
704B

MD5
1693ff01fee8449e9399920f77b913cf

SHA1
f1314379eb10060a938380a6df440d9620983277

SHA256
1958b2d634b7cfcf59ea137e1c143df7cef5b3c10a3f4a8402dc47f594ffa56d

SHA512
0e877989fd30e14fd3aeeefc930a39a0be9e63e299cfaaa12116ac6f6c636a0ee2f6e56e4a348e06dced32b2bb77cbd9353705d6902af49688b3f3f47b446822

Download Submit
C:\Windows\Speech_OneCore\Engines\SR\en-US-N\6ccacd8608530f

Filesize
957B

MD5
be65478b8efb55f0bb7b124d8005fdac

SHA1
483930184fe8d65c628a4d28fae6014f02769059

SHA256
9174410702982d584e1cf9a2a95bcb48a57c3fe24b2f7ffe76153b30f41e2bce

SHA512
82fa6db3d47f1673f8a17e87ed9b1d814889c77c9a7b20018e678d4218770324e03c1acc08ce0a2371bceba3c7807add1f910698612e2cc18ab5c5fc6ec8b0a6

Download Submit
C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe

Filesize
234B

MD5
46d7e19eabaed1a2f85b8a8424dac416

SHA1
e06d990343b40ba693a9d791bc32822758e9e460

SHA256
a3ee2e31da36005b292231d790c3103560ca7e9aa2f106ce8357b28e480d17fe

SHA512
e99691e90149c41c00f4cb7c1b0839ce4c5bc3cee49f6275887404d3807e0c0af04901b7813231576e2cd1226aeb3a6c025bdee7d67bfc35cd7e33cf33b78a49

Download Submit
C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat

Filesize
187B

MD5
eb4292c364e92458c77e875e2c7df7da

SHA1
b53e0db95ddb58ecf519ede0d7a976a52516eaed

SHA256
3ab7ad885c7422ef507d9878ea1b371c9b0c7e6bf3f93dd0a576c8d3bc850280

SHA512
0fb3aeae473d6a6a805ed580833d6b6dd5a8e3c81500b2c054a3d6c22e75425118f18f8ea8a81daac2c4979e75ecff6979bd1c2b5becf88982b8d04abf9fae01

Download Submit
C:\comdll\fa97c6aa59ca5d

Filesize
439B

MD5
7efc70d2487ea0ea7470e8987e58e953

SHA1
6e80ece3d75acbce9b565683a6528a3bb7d519d0

SHA256
ad3920e3c9bf7de3780aa3fa1956a3a1968ca3b4fc4ca7b06df138c7c7c53321

SHA512
3409f51d9e9521f72e947d222d3cb989db21602f197027d5c0f2254bf4e37638fd71908577c3c5dde6654b4a1d92eed4df98683176099df8e2c591c0cd2481e3

Download Submit
C:\comdll\reviewdll.exe

Filesize
3.4MB

MD5
278bb3a4ab923948a0c4f83edd2dee9c

SHA1
8852d6a67748a8656ddf19cee916b155044680bd

SHA256
b8046f1e47f1673806a5b2938f5194e2984a7c385a13ff8c9daeb378e5d66793

SHA512
8b8db76161204c482474b010b2a5605d5d4e9543d67c4dac1d643860351e12eabeca733fbfc30011447aff660be27e3d80d48e88548408c4a8645e5bcb94c26c

Download Submit
C:\windows\system32\enb1sa.exe

Filesize
4KB

MD5
d401037f5ecab2a14860626c11e267d3

SHA1
5e84a4e17b559713ce41316ec1152a8d8df965ff

SHA256
748530c43c9727e00221f494c6de937822d3c5fb9066a5da0194245558adb1e9

SHA512
9f61c983d3aba8a09a879e6e83132a8d0a72fa0652248fe7a83c790b8e5c8808aa6bf2a9d0f97887c55a6a9012613582f09daccf238f4e025c129883ec88e1ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\taotpnag\taotpnag.0.cs

Filesize
362B

MD5
8139344deb5f7562ca276436b6be83b3

SHA1
849f31ef736df73b5b770f955983baa24488d39c

SHA256
a2194f52a971914e16540d502c958b855c3a9f4aea59681d5046834075cc2e4e

SHA512
821cec6cf0754005961edaf8d095d576763f8f15911896fe0df9137fc80b063522cddeb9b577602961cbbd95c90a779718b1aba3c90cb3c4592826e6dbcf7d55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\taotpnag\taotpnag.cmdline

Filesize
235B

MD5
c1080376153234c92e1aa09e9a7f3a25

SHA1
65cf61229f84b3ea3cf42ea3bf65a31c977f2491

SHA256
236d95d913738e9f9a893211a66edef97c15f2b18524cf03d85dfce6c201d98b

SHA512
370a3c41887d86c26b929fb7f75187925805bcbb8baac032cc873939cb924a3e5137004bcd74b99dacd2c587b7666b46693ad1a8c84dee725337571f4fccb706

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w1r5lzrd\w1r5lzrd.0.cs

Filesize
359B

MD5
33552f094d9081f525031b7947b5f4e5

SHA1
90189a1d5d10f28f960b3584008d8db894f0a09b

SHA256
50ceef6b567221aa394fa205908651ff1316e96a259ec2d38bb4f2ed1ebaaa90

SHA512
b902318d70ae70615f2ae0c69476a37f6a043e10e3afd51b3732d1d1a1952c6bd95ab70dd52f4112c0d68db1aff40e20520add51f3031f49b93e4658b710b1f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w1r5lzrd\w1r5lzrd.cmdline

Filesize
235B

MD5
1a65a6230703d89e9bf7d7d13e3674c1

SHA1
5e019daba34cb9b3acb54e14728ee52beead79a8

SHA256
a753416b021a2f2098ee538d11071b3393c23f8910d686d7e7f3f2b308e340c4

SHA512
f257010161b27cfb2e9ac085b591872801396a66f1371b023620d86ed99898ce67237e281ce7ccbbefa0209e7de2684abe8e1f69b3aaddea00c27e3089125d72

Download Submit
\??\c:\Windows\System32\CSC6FEAB0EBD5314CB9BDAB197DE6C13BB.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/2232-319-0x0000016834E70000-0x000001683508C000-memory.dmp

Filesize
2.1MB

Download
memory/2632-94-0x00000223B6A60000-0x00000223B6A82000-memory.dmp

Filesize
136KB

Download
memory/2896-310-0x0000020838470000-0x000002083868C000-memory.dmp

Filesize
2.1MB

Download
memory/2948-309-0x00000205B4C10000-0x00000205B4E2C000-memory.dmp

Filesize
2.1MB

Download
memory/3472-313-0x00000253F5700000-0x00000253F591C000-memory.dmp

Filesize
2.1MB

Download
memory/3716-316-0x0000026FEE630000-0x0000026FEE84C000-memory.dmp

Filesize
2.1MB

Download
memory/3816-31-0x000000001C2F0000-0x000000001C300000-memory.dmp

Filesize
64KB

Download
memory/3816-19-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/3816-36-0x000000001C910000-0x000000001CE38000-memory.dmp

Filesize
5.2MB

Download
memory/3816-35-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

Filesize
72KB

Download
memory/3816-33-0x000000001C3A0000-0x000000001C3B6000-memory.dmp

Filesize
88KB

Download
memory/3816-56-0x000000001C710000-0x000000001C75E000-memory.dmp

Filesize
312KB

Download
memory/3816-29-0x000000001C360000-0x000000001C372000-memory.dmp

Filesize
72KB

Download
memory/3816-27-0x000000001C2E0000-0x000000001C2EE000-memory.dmp

Filesize
56KB

Download
memory/3816-25-0x000000001C290000-0x000000001C2A0000-memory.dmp

Filesize
64KB

Download
memory/3816-23-0x000000001C280000-0x000000001C290000-memory.dmp

Filesize
64KB

Download
memory/3816-40-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/3816-42-0x000000001C390000-0x000000001C3A0000-memory.dmp

Filesize
64KB

Download
memory/3816-21-0x000000001C2C0000-0x000000001C2D8000-memory.dmp

Filesize
96KB

Download
memory/3816-38-0x000000001C300000-0x000000001C30E000-memory.dmp

Filesize
56KB

Download
memory/3816-17-0x000000001C310000-0x000000001C360000-memory.dmp

Filesize
320KB

Download
memory/3816-16-0x000000001C2A0000-0x000000001C2BC000-memory.dmp

Filesize
112KB

Download
memory/3816-44-0x000000001C440000-0x000000001C49A000-memory.dmp

Filesize
360KB

Download
memory/3816-46-0x000000001C3E0000-0x000000001C3EE000-memory.dmp

Filesize
56KB

Download
memory/3816-14-0x00000000033E0000-0x00000000033EE000-memory.dmp

Filesize
56KB

Download
memory/3816-48-0x000000001C3F0000-0x000000001C400000-memory.dmp

Filesize
64KB

Download
memory/3816-54-0x000000001C410000-0x000000001C41C000-memory.dmp

Filesize
48KB

Download
memory/3816-12-0x0000000000EE0000-0x0000000001246000-memory.dmp

Filesize
3.4MB

Download
memory/3816-50-0x000000001C400000-0x000000001C40E000-memory.dmp

Filesize
56KB

Download
memory/3816-52-0x000000001C4A0000-0x000000001C4B8000-memory.dmp

Filesize
96KB

Download
memory/4276-306-0x0000024678E60000-0x000002467907C000-memory.dmp

Filesize
2.1MB

Download