dcrat | 75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Size

2.2MB
MD5

8c76e7dcc8ae18ed5107083568de5c15
SHA1

b229653c55b499475dc90fd7f517dad0ddf83afa
SHA256

75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
SHA512

bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb
SSDEEP

49152:a31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:altZUE6NDyTo9lv2F+VvK6

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 49 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3056	schtasks.exe
		716	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
		2952	schtasks.exe
		3028	schtasks.exe
		608	schtasks.exe
		1988	schtasks.exe
		1748	schtasks.exe
		2632	schtasks.exe
		2656	schtasks.exe
		2416	schtasks.exe
		2164	schtasks.exe
		2224	schtasks.exe
		556	schtasks.exe
		2468	schtasks.exe
		2220	schtasks.exe
		3000	schtasks.exe
		2140	schtasks.exe
		944	schtasks.exe
		2704	schtasks.exe
		1660	schtasks.exe
		2868	schtasks.exe
		1812	schtasks.exe
		1000	schtasks.exe
		2360	schtasks.exe
		2252	schtasks.exe
		3008	schtasks.exe
		1780	schtasks.exe
		2668	schtasks.exe
		3040	schtasks.exe
		2856	schtasks.exe
		1508	schtasks.exe
		108	schtasks.exe
		2608	schtasks.exe
		2344	schtasks.exe
		1612	schtasks.exe
		2032	schtasks.exe
		2312	schtasks.exe
		1976	schtasks.exe
		2196	schtasks.exe
		1704	schtasks.exe
		1232	schtasks.exe
		2092	schtasks.exe
		2144	schtasks.exe
		2948	schtasks.exe
		2232	schtasks.exe
		1700	schtasks.exe
		2640	schtasks.exe
		2940	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe\", \"C:\\Program Files\\Google\\System.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\System.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\", \"C:\\Users\\Admin\\Pictures\\sppsvc.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Google\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe\", \"C:\\Program Files\\Google\\System.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\spoolsv.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2748	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2156-1-0x00000000013E0000-0x000000000160E000-memory.dmp	dcrat
behavioral1/files/0x0006000000017403-38.dat	dcrat
behavioral1/files/0x000500000001a446-78.dat	dcrat
behavioral1/files/0x00080000000174ac-98.dat	dcrat
behavioral1/files/0x000b000000012117-108.dat	dcrat
behavioral1/files/0x0010000000012117-147.dat	dcrat
behavioral1/files/0x000a0000000174ac-153.dat	dcrat
behavioral1/files/0x0011000000018678-206.dat	dcrat
behavioral1/memory/2352-265-0x00000000009D0000-0x0000000000BFE000-memory.dmp	dcrat
behavioral1/memory/2572-276-0x0000000000110000-0x000000000033E000-memory.dmp	dcrat
behavioral1/memory/3040-288-0x0000000000A10000-0x0000000000C3E000-memory.dmp	dcrat
behavioral1/files/0x00060000000191f7-292.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

Executes dropped EXE 3 IoCs

pid	Process
2352	sppsvc.exe
2572	sppsvc.exe
3040	sppsvc.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835 = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Cursors\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\csrss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\spoolsv.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\spoolsv.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\csrss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\System.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Cursors\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\System.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\System.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\System.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835 = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Pictures\\sppsvc.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Pictures\\sppsvc.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\DVD Maker\\en-US\\dllhost.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\DigitalLocker\\ja-JP\\Idle.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\""	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\en-US\5940a34987c991	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Google\csrss.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Google\System.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB302.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\spoolsv.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\DVD Maker\en-US\dllhost.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\f3b6ecef712a24	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\RCXAC27.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\RCXACC4.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\csrss.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCX9E76.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\System.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXBDC5.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\RCXBBBF.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Google\886983d96e3d3e	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXA7B2.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\wininit.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXB301.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\RCXBBC0.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCX9E75.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXA7B1.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\wininit.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\56085415360792	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\56085415360792	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Google\27d1bcfc3c54e0	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXBDC4.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\spoolsv.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\dllhost.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\Idle.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Windows\Cursors\RCXA28E.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Windows\Cursors\RCXA2FC.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Windows\DigitalLocker\ja-JP\RCXAEF8.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Windows\DigitalLocker\ja-JP\Idle.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Windows\Cursors\6ccacd8608530f	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Windows\DigitalLocker\ja-JP\Idle.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File created	C:\Windows\DigitalLocker\ja-JP\6ccacd8608530f	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Windows\Cursors\Idle.exe	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
File opened for modification	C:\Windows\DigitalLocker\ja-JP\RCXAEF7.tmp	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2032	schtasks.exe
3056	schtasks.exe
1704	schtasks.exe
2344	schtasks.exe
2952	schtasks.exe
1988	schtasks.exe
1508	schtasks.exe
1748	schtasks.exe
2232	schtasks.exe
2640	schtasks.exe
1780	schtasks.exe
2856	schtasks.exe
2140	schtasks.exe
608	schtasks.exe
2196	schtasks.exe
2360	schtasks.exe
2940	schtasks.exe
1700	schtasks.exe
108	schtasks.exe
2416	schtasks.exe
2632	schtasks.exe
2252	schtasks.exe
3040	schtasks.exe
3028	schtasks.exe
1812	schtasks.exe
2144	schtasks.exe
1976	schtasks.exe
1612	schtasks.exe
716	schtasks.exe
2468	schtasks.exe
2224	schtasks.exe
3000	schtasks.exe
1660	schtasks.exe
2948	schtasks.exe
556	schtasks.exe
2164	schtasks.exe
2092	schtasks.exe
1232	schtasks.exe
2656	schtasks.exe
2668	schtasks.exe
3008	schtasks.exe
2868	schtasks.exe
2704	schtasks.exe
2608	schtasks.exe
1000	schtasks.exe
2312	schtasks.exe
944	schtasks.exe
2220	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2352	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe
2352	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Token: SeDebugPrivilege	2352	sppsvc.exe
Token: SeDebugPrivilege	2572	sppsvc.exe
Token: SeDebugPrivilege	3040	sppsvc.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 536	2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe	79
PID 2156 wrote to memory of 536	2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe	79
PID 2156 wrote to memory of 536	2156	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe	79
PID 536 wrote to memory of 960	536	cmd.exe	81
PID 536 wrote to memory of 960	536	cmd.exe	81
PID 536 wrote to memory of 960	536	cmd.exe	81
PID 536 wrote to memory of 2352	536	cmd.exe	83
PID 536 wrote to memory of 2352	536	cmd.exe	83
PID 536 wrote to memory of 2352	536	cmd.exe	83
PID 536 wrote to memory of 2352	536	cmd.exe	83
PID 536 wrote to memory of 2352	536	cmd.exe	83
PID 2352 wrote to memory of 556	2352	sppsvc.exe	84
PID 2352 wrote to memory of 556	2352	sppsvc.exe	84
PID 2352 wrote to memory of 556	2352	sppsvc.exe	84
PID 2352 wrote to memory of 3028	2352	sppsvc.exe	85
PID 2352 wrote to memory of 3028	2352	sppsvc.exe	85
PID 2352 wrote to memory of 3028	2352	sppsvc.exe	85
PID 556 wrote to memory of 2572	556	WScript.exe	86
PID 556 wrote to memory of 2572	556	WScript.exe	86
PID 556 wrote to memory of 2572	556	WScript.exe	86
PID 556 wrote to memory of 2572	556	WScript.exe	86
PID 556 wrote to memory of 2572	556	WScript.exe	86
PID 2572 wrote to memory of 1704	2572	sppsvc.exe	87
PID 2572 wrote to memory of 1704	2572	sppsvc.exe	87
PID 2572 wrote to memory of 1704	2572	sppsvc.exe	87
PID 2572 wrote to memory of 2448	2572	sppsvc.exe	88
PID 2572 wrote to memory of 2448	2572	sppsvc.exe	88
PID 2572 wrote to memory of 2448	2572	sppsvc.exe	88
PID 1704 wrote to memory of 3040	1704	WScript.exe	89
PID 1704 wrote to memory of 3040	1704	WScript.exe	89
PID 1704 wrote to memory of 3040	1704	WScript.exe	89
PID 1704 wrote to memory of 3040	1704	WScript.exe	89
PID 1704 wrote to memory of 3040	1704	WScript.exe	89
PID 3040 wrote to memory of 1832	3040	sppsvc.exe	90
PID 3040 wrote to memory of 1832	3040	sppsvc.exe	90
PID 3040 wrote to memory of 1832	3040	sppsvc.exe	90
PID 3040 wrote to memory of 2836	3040	sppsvc.exe	91
PID 3040 wrote to memory of 2836	3040	sppsvc.exe	91
PID 3040 wrote to memory of 2836	3040	sppsvc.exe	91

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
"C:\Users\Admin\AppData\Local\Temp\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bxSkVmu9OG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:960
- - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe
    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2352
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\103c765d-fe4f-4fdd-bd70-f737f9b7f18e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2572
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ba19638-22e7-4b09-99b9-1d280a9debdd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600ff6e9-1b1e-4802-858a-8c95e58526e5.vbs"
        8⤵
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edb1632b-21a3-4c28-9446-b7f5c751e744.vbs"
        8⤵
        
        PID:2836
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4af2dd0-8449-4607-9209-464248dc0892.vbs"
        6⤵
        
        PID:2448
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62bf66f-9f23-4ef4-a0c0-644405c2504e.vbs"
      4⤵
      PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\ja-JP\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a08357" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a08357" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe

Filesize
2.2MB

MD5
5dd84741849961a6482d872f7f507e07

SHA1
bb0be26897f300c14e3b61a31017384949543f50

SHA256
640832662e822d12c89937f87d6a2a54b32f819ef0d552b519e8dd598c3c7fa7

SHA512
e79f526e052cd26119f12510daba3a0b9397a2bfd0d49830beac9c22a4b3dee283d4be36c3f5687874a6bc73323631975e137111258c67f402a87ce6872425b9

Download Submit
C:\Program Files\Google\csrss.exe

Filesize
2.2MB

MD5
8f92aa657b5be11b1029bc0b9dd049e3

SHA1
1d0c8182cc2a3e7cfa27801b1af4751d55967d35

SHA256
e161bc54f15f80df87b3a20b2132820823b67ebf9b00ecce3054d22e83779713

SHA512
d5cfcf63f4d8f361879c74cff1144eb9b7fbc7f6b82285c5e022c29863fdf7e544b26e31b7e92e7cb763b7fdaea226a72e3959d8f40e3e40d0992662b7af9b1e

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe

Filesize
2.2MB

MD5
4dc87164a1699a0f0c0697da177adc24

SHA1
8622ba0d98774bcc760b5c81ebc7f1a9573022d5

SHA256
3a0b97cdff92442f3b7196fe7f25a00bb1248bb2cc1663a83f9e81cba6f9232e

SHA512
75b0e7ed7c3df88c5b34da703a66f441b577549fb0ff52de3b1bc1f94ffcc8e535baf53908740e9308aa37706bb6bf65214012fde58f94c625c5123a923820c2

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe

Filesize
2.2MB

MD5
d05aa62f0828313d62c88e30335e0959

SHA1
c6edf6fe5d7b85de1c79712081977ec3c46449c4

SHA256
2885aa625464acae80cae17eee3ca525f11893e0abdadae9fd8b606f648e38b3

SHA512
cc4701603a12f93c2ebeb9df665c45bbb304b666ba2ae95c1e45a0b9525151b74127db5c605bc988c05e59ffde761ff6d9d9ed84a0ab601187befffae643ba70

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe

Filesize
2.2MB

MD5
8c76e7dcc8ae18ed5107083568de5c15

SHA1
b229653c55b499475dc90fd7f517dad0ddf83afa

SHA256
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835

SHA512
bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\103c765d-fe4f-4fdd-bd70-f737f9b7f18e.vbs

Filesize
735B

MD5
838a3e9f1dc05ec2a7f96807a781b2b3

SHA1
a0f9e6858903e2d9cb7574c1843cb3b457c18a25

SHA256
4ffa168aef34c7de2ebacd2fae596ab5b64e761783a0f30798fcaa1bcf335104

SHA512
1782502b2294bed879b4e3354394d5f90162851cbf05b780ae457b1f5f109783fa109a0b045c7248766b2463b8044ed2b41d192bd89575a0df1486c460e42b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ba19638-22e7-4b09-99b9-1d280a9debdd.vbs

Filesize
735B

MD5
81297d34a79b55cd8e2d17a4433eee2f

SHA1
909be1cab1432be103dd32ffbf37ee2980643f68

SHA256
635341ae38e5182d5cc637edda8aec73263edba36bc166a85bd4f10a2a614c81

SHA512
2a510063cbd3d1c9c015a711a6b6cb0fcb7b8943c3c9134d1cd23270ef8a837429c889bc5523357395d0bea539ad7c5c57f96cb05c5277e5afa59ba4e3a585db

Download Submit
C:\Users\Admin\AppData\Local\Temp\600ff6e9-1b1e-4802-858a-8c95e58526e5.vbs

Filesize
735B

MD5
d5cf1362d6a3cac600b93578a96cad26

SHA1
8769f61a2a51f4231566dbfc8a0645e382605bc4

SHA256
5a5a10db1d6b1959bc4db77d28562beb521c968ca50ae69644bb7073756ee8e9

SHA512
403e8bee1beb91670de9c94b764b820b5ff1693bb84f8c78580f9af3ffaccd893eef49b343b5e39aa68a689cb2e29758ed7c35dfcf6ca2670dd1c011dea8bca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\abdfe80f24beaaba513656d863de8817e0acf644.exe

Filesize
2.2MB

MD5
b95351566895710f796c58b38b04d94f

SHA1
057ba800c5bdb961c52a652cf07084f610e07a94

SHA256
8678c8d4067135089fedd23e92f52a5a0b10151f0859698e8dbbe97da1276177

SHA512
ec8001c362335e718935f6d1fd93b8e34aec33d087c1b69da3a38b6084bb620334b9701e6a8987a3cee37e3881860557e805a60884b80cd7554ef903bd7be9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxSkVmu9OG.bat

Filesize
224B

MD5
9836a481542a2c2fa419b3cb2b0d8d89

SHA1
4dd8398736e0971d672ac878d92f5c572d714b25

SHA256
635a644a9336fcaaffda73f78936c35d6ac8c4042b791ff2287f2d0b14c92566

SHA512
0d5e30300f1a64d6134152ebac1f976c26b17879dd0ad0ab3340a91e490e4a9e745d40c57e228dedb7d63bd0be92daa86a35ae61a305410ad4b2f84cb310e53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e62bf66f-9f23-4ef4-a0c0-644405c2504e.vbs

Filesize
511B

MD5
0f9d4ddc8426aa7cdad9362e88effdb7

SHA1
777924333b135df5384c3213bf8af8bc0205c445

SHA256
4ea6ced77fb31a1556e4c75203b93a498b47101acd2a17b8aacad4dfcad2563c

SHA512
83d2fc66b8191391fd002bf9f53716eba09c377c247a2975be005078541bae002bf766b9d7eaccca50e8e2b949fd4c039ffc46a761ab58ff4dfd3deb77719c14

Download Submit
C:\Users\Admin\Pictures\RCXA07B.tmp

Filesize
2.2MB

MD5
5d3af89d022a5254fb73160a9344c5cd

SHA1
29f80f28bc8a1f30f4377dbb9041605aff4fd484

SHA256
6342eadbd0350c42bc903b36487794cfc554a0e94ea389633942c1de23af862e

SHA512
740f213116b9fd1dac7193211bb370077cc0568fb944a3c80c050703ac0cf58064b7bc6acd1e5b34f9e5e27ee9b5a24403e000d76de2d89c1a2a6df88b7ebd80

Download Submit
C:\Windows\Cursors\Idle.exe

Filesize
2.2MB

MD5
7fd2005216e2773c8da3dabdc48bdcf5

SHA1
03fa4943e5ca79fad7fbc8f07073302f3a693ca7

SHA256
ced175e140614402fc1e485a34a6d61b0876fab176be581a8de6e9bd3aed9232

SHA512
61b31497a63c4082743539686845c5d973937ce103a824fe86cbed4c6d56bef11e95e93a7ec6bd8f256f0f45809d57b4122460e06ca2dcc468f8864f09bb4aee

Download Submit
memory/2156-12-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2156-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2156-15-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/2156-16-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2156-18-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2156-19-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

Filesize
48KB

Download
memory/2156-20-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/2156-21-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2156-22-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2156-23-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/2156-25-0x0000000001330000-0x000000000133E000-memory.dmp

Filesize
56KB

Download
memory/2156-24-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/2156-26-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/2156-27-0x0000000001350000-0x0000000001358000-memory.dmp

Filesize
32KB

Download
memory/2156-28-0x0000000001360000-0x000000000136C000-memory.dmp

Filesize
48KB

Download
memory/2156-29-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-13-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2156-14-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2156-11-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2156-10-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2156-9-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2156-8-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2156-194-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2156-7-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2156-218-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-243-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-6-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2156-262-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-1-0x00000000013E0000-0x000000000160E000-memory.dmp

Filesize
2.2MB

Download
memory/2156-5-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2156-4-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/2156-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2352-265-0x00000000009D0000-0x0000000000BFE000-memory.dmp

Filesize
2.2MB

Download
memory/2572-276-0x0000000000110000-0x000000000033E000-memory.dmp

Filesize
2.2MB

Download
memory/3040-288-0x0000000000A10000-0x0000000000C3E000-memory.dmp

Filesize
2.2MB

Download