dcrat | ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3

Analysis

max time kernel
119s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Size

1.5MB
MD5

368ba276407bceef1d4df345743b6180
SHA1

0d704acfa11ad481a39a476b21a748b0b553f4ae
SHA256

ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3
SHA512

466c41a25a2fbebf8c1a15d4a272722621d64a09f63e09ea784be986b37ec766bd23b534ba42f678d881e0b21026f11c6757eb9bde7e717b67b31b816f453bb1
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052315-0\\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052315-0\\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe\", \"C:\\Documents and Settings\\taskhost.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052315-0\\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe\", \"C:\\Documents and Settings\\taskhost.exe\", \"C:\\PerfLogs\\Admin\\services.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\msdfmap\\explorer.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2720	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1272	powershell.exe
1616	powershell.exe
2352	powershell.exe
1352	powershell.exe
1576	powershell.exe
1972	powershell.exe
1652	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Executes dropped EXE 8 IoCs

pid	Process
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1892	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2604	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
672	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1960	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\msdfmap\\explorer.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052315-0\\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052315-0\\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\msdfmap\\explorer.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\dwm.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msdfmap\explorer.exe	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
File opened for modification	C:\Windows\msdfmap\explorer.exe	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
File created	C:\Windows\msdfmap\7a0fd90576e088	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
File opened for modification	C:\Windows\msdfmap\RCXB655.tmp	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2560	schtasks.exe
2528	schtasks.exe
2884	schtasks.exe
2628	schtasks.exe
2796	schtasks.exe
2536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
1616	powershell.exe
1576	powershell.exe
1652	powershell.exe
1352	powershell.exe
1272	powershell.exe
1972	powershell.exe
2352	powershell.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	1892	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	2604	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	672	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Token: SeDebugPrivilege	1960	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1272	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	37
PID 1836 wrote to memory of 1272	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	37
PID 1836 wrote to memory of 1272	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	37
PID 1836 wrote to memory of 1616	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	38
PID 1836 wrote to memory of 1616	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	38
PID 1836 wrote to memory of 1616	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	38
PID 1836 wrote to memory of 1652	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	39
PID 1836 wrote to memory of 1652	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	39
PID 1836 wrote to memory of 1652	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	39
PID 1836 wrote to memory of 1972	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	42
PID 1836 wrote to memory of 1972	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	42
PID 1836 wrote to memory of 1972	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	42
PID 1836 wrote to memory of 2352	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	43
PID 1836 wrote to memory of 2352	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	43
PID 1836 wrote to memory of 2352	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	43
PID 1836 wrote to memory of 1576	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	44
PID 1836 wrote to memory of 1576	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	44
PID 1836 wrote to memory of 1576	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	44
PID 1836 wrote to memory of 1352	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	45
PID 1836 wrote to memory of 1352	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	45
PID 1836 wrote to memory of 1352	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	45
PID 1836 wrote to memory of 1864	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	51
PID 1836 wrote to memory of 1864	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	51
PID 1836 wrote to memory of 1864	1836	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	51
PID 1864 wrote to memory of 2752	1864	cmd.exe	53
PID 1864 wrote to memory of 2752	1864	cmd.exe	53
PID 1864 wrote to memory of 2752	1864	cmd.exe	53
PID 1864 wrote to memory of 2408	1864	cmd.exe	55
PID 1864 wrote to memory of 2408	1864	cmd.exe	55
PID 1864 wrote to memory of 2408	1864	cmd.exe	55
PID 2408 wrote to memory of 876	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	56
PID 2408 wrote to memory of 876	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	56
PID 2408 wrote to memory of 876	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	56
PID 2408 wrote to memory of 1500	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	57
PID 2408 wrote to memory of 1500	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	57
PID 2408 wrote to memory of 1500	2408	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	57
PID 876 wrote to memory of 2708	876	WScript.exe	58
PID 876 wrote to memory of 2708	876	WScript.exe	58
PID 876 wrote to memory of 2708	876	WScript.exe	58
PID 2708 wrote to memory of 2588	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	59
PID 2708 wrote to memory of 2588	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	59
PID 2708 wrote to memory of 2588	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	59
PID 2708 wrote to memory of 2988	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	60
PID 2708 wrote to memory of 2988	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	60
PID 2708 wrote to memory of 2988	2708	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	60
PID 2588 wrote to memory of 1548	2588	WScript.exe	61
PID 2588 wrote to memory of 1548	2588	WScript.exe	61
PID 2588 wrote to memory of 1548	2588	WScript.exe	61
PID 1548 wrote to memory of 3016	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	62
PID 1548 wrote to memory of 3016	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	62
PID 1548 wrote to memory of 3016	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	62
PID 1548 wrote to memory of 408	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	63
PID 1548 wrote to memory of 408	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	63
PID 1548 wrote to memory of 408	1548	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	63
PID 3016 wrote to memory of 1212	3016	WScript.exe	64
PID 3016 wrote to memory of 1212	3016	WScript.exe	64
PID 3016 wrote to memory of 1212	3016	WScript.exe	64
PID 1212 wrote to memory of 1744	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	65
PID 1212 wrote to memory of 1744	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	65
PID 1212 wrote to memory of 1744	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	65
PID 1212 wrote to memory of 664	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	66
PID 1212 wrote to memory of 664	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	66
PID 1212 wrote to memory of 664	1212	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe	66
PID 1744 wrote to memory of 1892	1744	WScript.exe	67

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
"C:\Users\Admin\AppData\Local\Temp\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\msdfmap\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vxxcpnwoQD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
    "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9457e8a-214c-410b-af0e-3a63d45712b0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2708
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8836313-ba25-4e38-8f6c-814237f2a989.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5171e3-19be-429f-b9de-95dd146e3956.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3335c02-c7a3-4cfe-94f9-0de2df7ca01c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\001c3305-c691-4324-895b-1ba6b2961708.vbs"
        12⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\005d1dd6-acbc-4cb4-90cd-e82f63c79794.vbs"
        14⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0210ce15-934e-470c-9d8d-019e5088e09a.vbs"
        16⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4da40c85-d17f-474e-8602-ca00fafe9d9c.vbs"
        18⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b20156ec-60cf-40c2-9ffd-608fdd706554.vbs"
        18⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d1bf3b5-3887-4aa0-b404-00d933357f14.vbs"
        16⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\912335d5-f45d-4f2f-ac25-87d3a88c06a2.vbs"
        14⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6bcca9c-984d-4dce-b3e0-4e58c983327c.vbs"
        12⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1caa633e-36a1-4202-a9b4-54f4cafa0419.vbs"
        10⤵
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2edc52b-f2d7-4ce4-a603-7df1df659173.vbs"
        8⤵
        
        PID:408
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036e9342-21e3-4252-9a7b-b367c4bc79e2.vbs"
        6⤵
        
        PID:2988
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c04ace4-739a-4dbf-be5e-0fb673b2f182.vbs"
      4⤵
      PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\msdfmap\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001c3305-c691-4324-895b-1ba6b2961708.vbs

Filesize
806B

MD5
d6ef03e96f63caa51b37c75a317a0761

SHA1
4f49418605764187a6e6405433055847484abc76

SHA256
4791c082ee9ce035725acd23cc7dfbcb94deb48217a7b85a98fb5b383c59cef0

SHA512
604aceb5b9863de8c049639283a20fb4a61fb3d35e52c12b6f9d941ae291ae89cf7902fe6634566d127fe0ddf5b5a158bf7919dc2038a3a4a2d2d68f80e8e5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\005d1dd6-acbc-4cb4-90cd-e82f63c79794.vbs

Filesize
806B

MD5
11b074381cd5963af43d88f4ee6155c2

SHA1
6d4dc936875f5a3126e037d982dfa68acd7668c3

SHA256
7fb274581a89a5951a0c7271f829a715674406c812553e5c77453fbdad5a82d5

SHA512
5847c7f94f267fbaa023f601ac1f9b48e399573eb3e75d729b0416739005fabcc9aa23df94c2eb03f2e5dc8522ec0b96cac7bc56d69bea4beedacb9513f8aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0210ce15-934e-470c-9d8d-019e5088e09a.vbs

Filesize
805B

MD5
4c71958496dd7c283c41c4d4134b2410

SHA1
ba014f83440d5b7fb285fb4ae518f847a4bf0ac8

SHA256
d11852e915bc0fed9e3c4710b860e831d3a35f38009ee58bfe9805c3ae89a247

SHA512
b9f5b2ac2ed6de6aeffdabe2c35375c87c9e970e3e48655ddb9e777b78c70874a76b5d95f658311d44af2212dd9a2dfb60fe036441f225127ef8ac149c6a6726

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c04ace4-739a-4dbf-be5e-0fb673b2f182.vbs

Filesize
582B

MD5
06221889d5e3783322415a37522d1135

SHA1
bdfd3b6fda0e3fcf99d7da854eb8ff87836c8792

SHA256
409d39935532d8cf4c455ba50970ef2305b86e1ba8dc8f123512329c8e011252

SHA512
168a898cd14fa39f2afdf0a483f8f3b74c7037f4c0ceeb30833c2cb89b7f6d5743c4d6f5f1d645aa9829ad2c3387a7b95f804c46ec02fa39766e87a163c95f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4da40c85-d17f-474e-8602-ca00fafe9d9c.vbs

Filesize
806B

MD5
555312f40057fdfb35bfdb0ec658fd15

SHA1
f0b145ddac92eb951a76e35d2dc3ad3c58411f43

SHA256
99251a56c377032b1bd9d1674c443d19eeec475dad955440d992b242da3eedb4

SHA512
151761d773122d0ae525263d028a16732991559c21b15120d00ebf06316d314221b9731de0c3ef49d3ae842faf43ec165c05d2a60032ef7647889e06fa512803

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f5171e3-19be-429f-b9de-95dd146e3956.vbs

Filesize
806B

MD5
ea5733ad370989606c3d046799d5bb5f

SHA1
c19160588718cdbc5cb06851513044f6ee2cfef8

SHA256
e804a432d7b7a808921ccf9fec7e88a3259e4d65c620eb2d0b1f004e8d4b9dd2

SHA512
178bd42f971b4286b87ba5cb693eb484774b5803c8885a878d5df8a7feedcc51755dc416552c7550a90aaa14835a5057c29529ce83b1708bd589abe3d082e639

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3335c02-c7a3-4cfe-94f9-0de2df7ca01c.vbs

Filesize
806B

MD5
1086d9926b13e3b5035714fc94873af9

SHA1
f4646bf849bec2fa94756aef9be99c45d0d05697

SHA256
aa8241c1cf85c4d1bad9cc00eca245fae48b667b4200bf5562aa947f7b94e85e

SHA512
dea3bfb856ba3fb745986f798365eb4cb89bacb5c10e953f69203ed03078919b584e538572ed972a48c3468cb962aced3dcc4aa454584049ec78f15f9377f023

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9457e8a-214c-410b-af0e-3a63d45712b0.vbs

Filesize
806B

MD5
93e79fb46da0abbbadd28d1bea0b380c

SHA1
424372994b0eb3860fb9d7f5cf382b396050a6bb

SHA256
168603a2f863c67549bf43158b6aa869ae610fcf51516ba666584f85bd569a57

SHA512
2cb99a55fb4d77966ced2b21b27fe7ce138bbedbf6b01bb801bf19fec049c424cb6c77b835537e4410f1d394bb5b82ee5d3d89a9a9fc355dd922aa04daf4d410

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8836313-ba25-4e38-8f6c-814237f2a989.vbs

Filesize
806B

MD5
b44ffddc71ab43f10d41f630722ca1dd

SHA1
45f2f6e5041e48fb72498baf8d559b57dde70deb

SHA256
17d7b2ed10353fde9acea84f7a0ebe76e7d2516cf7d05d927aa6cf7e3a8b7b8d

SHA512
0e76e7df57b5bd9cdbc4f8d60f31faa6eb0e0624e477638050fdda65f642ec63c3680d9940ba214c88d36a33a7dc73bbf06710ee0d89d45bbb11c0d7030c9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0\ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3N.exe

Filesize
1.5MB

MD5
6c48b5590c3297f518aaaf98711e8c5b

SHA1
2ea96a92c3dbb2c83ac2b8e70bb77a0e4e73bb9e

SHA256
34651baa987440ded4fdf91517e1ee4bd9747000b39ba06852679dbd494da9ab

SHA512
93a0390bff5cbd53ea7ebf61ed748296d8cbe1c1da9bf46365c0d3e62fb43b7746462ca271691df4d7a083a5c5db5dbbbdce03d6f40ff14cc0db96061293157b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxxcpnwoQD.bat

Filesize
294B

MD5
226196e4e129baf202d1ee801f26f7b3

SHA1
170152aff0d5f821a29d6797701df305130b042c

SHA256
7b79574b444c81e1e352482eccd362c257d4bf36638811c480ad4010af72e679

SHA512
0b7f69ec963e33301b433b6a3b9a871ea1fe952580222c57d57cd0dea82b50e3d190a92c5e4e93eedae42469b3289071782c99534d6e8e2c20d567836d355274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f3ea5b3e1ccca04123103f384b389466

SHA1
78ab887e56ca94c08603cd9ed10030fe04f90628

SHA256
e5cf3f8a6c3a074ef7e002e6740be5449ea671a93c0d67e31dcad58d569597a4

SHA512
d9ca107fd358f16b7644019ee900269f496f1b4f1a713a0a0ad5ec468a0785df3cf85d3a3ec4a6f7d3edc86a8b3dbcf86a7c895743f8237f950034800f4e8ec9

Download Submit
C:\Users\taskhost.exe

Filesize
1.5MB

MD5
368ba276407bceef1d4df345743b6180

SHA1
0d704acfa11ad481a39a476b21a748b0b553f4ae

SHA256
ecbd4f851628a8e82ef458454ee490fed137b863e5adba90a7574a001e1f79a3

SHA512
466c41a25a2fbebf8c1a15d4a272722621d64a09f63e09ea784be986b37ec766bd23b534ba42f678d881e0b21026f11c6757eb9bde7e717b67b31b816f453bb1

Download Submit
memory/672-198-0x00000000012D0000-0x000000000144E000-memory.dmp

Filesize
1.5MB

Download
memory/1212-160-0x0000000001390000-0x000000000150E000-memory.dmp

Filesize
1.5MB

Download
memory/1212-161-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1272-111-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/1616-114-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1836-11-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/1836-1-0x0000000000850000-0x00000000009CE000-memory.dmp

Filesize
1.5MB

Download
memory/1836-18-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1836-24-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1836-17-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/1836-16-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/1836-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/1836-116-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1836-15-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1836-14-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/1836-13-0x00000000021F0000-0x00000000021FA000-memory.dmp

Filesize
40KB

Download
memory/1836-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1836-3-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1836-12-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/1836-21-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1836-4-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/1836-20-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/1836-10-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/1836-9-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1836-8-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/1836-7-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/1836-6-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/1836-5-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/1892-174-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1892-173-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download
memory/1960-210-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2408-125-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2408-124-0x0000000001290000-0x000000000140E000-memory.dmp

Filesize
1.5MB

Download
memory/2604-186-0x0000000000950000-0x0000000000ACE000-memory.dmp

Filesize
1.5MB

Download
memory/2708-137-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2708-136-0x00000000012B0000-0x000000000142E000-memory.dmp

Filesize
1.5MB

Download