dcrat | d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

Resubmissions

13/01/2025, 05:29

250113-f6xncaxraw 10

12/01/2025, 19:21

250112-x2mq1svqe1 10

Analysis

max time kernel
899s
max time network
899s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183CB9283D9C8F6282283BD39F49D33C.exe
Size

2.7MB
MD5

183cb9283d9c8f6282283bd39f49d33c
SHA1

76674564064d31bb9d37f802bdec3821d4a55d89
SHA256

d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984
SHA512

14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22
SSDEEP

49152:Bfj5Pkja3lMPnl9LS7y5PEeQxtD5vLyCse5EPUC1SKGLFSjvzbN+/rV:BfBkyqPnDSOdEeQfocN8GLQLkz

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2832	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 20 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1788-1-0x0000000001170000-0x0000000001424000-memory.dmp	dcrat
behavioral1/files/0x0005000000019c38-29.dat	dcrat
behavioral1/files/0x000500000001a5b0-62.dat	dcrat
behavioral1/files/0x0006000000019c38-120.dat	dcrat
behavioral1/files/0x0007000000019db8-142.dat	dcrat
behavioral1/files/0x000700000001a431-186.dat	dcrat
behavioral1/files/0x000b00000001a4bb-212.dat	dcrat
behavioral1/memory/2568-224-0x0000000001220000-0x00000000014D4000-memory.dmp	dcrat
behavioral1/memory/2708-251-0x00000000000E0000-0x0000000000394000-memory.dmp	dcrat
behavioral1/memory/1268-254-0x0000000000E50000-0x0000000001104000-memory.dmp	dcrat
behavioral1/memory/2904-257-0x0000000000EF0000-0x00000000011A4000-memory.dmp	dcrat
behavioral1/memory/1276-262-0x0000000000D60000-0x0000000001014000-memory.dmp	dcrat
behavioral1/memory/3068-263-0x0000000000C80000-0x0000000000F34000-memory.dmp	dcrat
behavioral1/memory/2820-267-0x0000000000DB0000-0x0000000001064000-memory.dmp	dcrat
behavioral1/memory/1992-268-0x0000000000BB0000-0x0000000000E64000-memory.dmp	dcrat
behavioral1/files/0x0007000000019d20-272.dat	dcrat
behavioral1/memory/2084-275-0x0000000000B10000-0x0000000000DC4000-memory.dmp	dcrat
behavioral1/memory/2912-274-0x0000000000A30000-0x0000000000CE4000-memory.dmp	dcrat
behavioral1/memory/2712-278-0x0000000000200000-0x00000000004B4000-memory.dmp	dcrat
behavioral1/memory/2804-282-0x0000000000BF0000-0x0000000000EA4000-memory.dmp	dcrat

Executes dropped EXE 15 IoCs

pid	Process
2568	WmiPrvSE.exe
2708	OSPPSVC.exe
1268	dwm.exe
2904	explorer.exe
1276	sppsvc.exe
3068	winlogon.exe
1992	OSPPSVC.exe
2820	dllhost.exe
2084	spoolsv.exe
2912	lsass.exe
2248	WmiPrvSE.exe
2712	System.exe
1680	dwm.exe
2804	csrss.exe
1536	OSPPSVC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\DVD Maker\es-ES\spoolsv.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXB8BE.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6cb0b6c459d5d3	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXB8BD.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCXC49A.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\RCXB2AF.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCXC499.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCXC910.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCXC911.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\cc11b995f2a76d	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\7a0fd90576e088	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\dwm.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\DVD Maker\es-ES\f3b6ecef712a24	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\RCXB241.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\dwm.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\spoolsv.exe	183CB9283D9C8F6282283BD39F49D33C.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\RCXCB83.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\dllhost.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\security\database\winlogon.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\Web\Wallpaper\Architecture\dllhost.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\security\database\cc11b995f2a76d	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\Web\Wallpaper\Architecture\5940a34987c991	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\security\database\RCXC227.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\security\database\RCXC295.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\security\database\winlogon.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\RCXCB15.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\Boot\DVD\PCAT\spoolsv.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\winsxs\dwm.exe	183CB9283D9C8F6282283BD39F49D33C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1500	schtasks.exe
1600	schtasks.exe
1488	schtasks.exe
2776	schtasks.exe
1120	schtasks.exe
872	schtasks.exe
976	schtasks.exe
2580	schtasks.exe
2708	schtasks.exe
2896	schtasks.exe
2784	schtasks.exe
2204	schtasks.exe
3052	schtasks.exe
2412	schtasks.exe
1384	schtasks.exe
2900	schtasks.exe
2936	schtasks.exe
2988	schtasks.exe
2436	schtasks.exe
1428	schtasks.exe
2944	schtasks.exe
1000	schtasks.exe
2128	schtasks.exe
1364	schtasks.exe
2612	schtasks.exe
1424	schtasks.exe
2572	schtasks.exe
1520	schtasks.exe
2640	schtasks.exe
1984	schtasks.exe
2220	schtasks.exe
2132	schtasks.exe
1936	schtasks.exe
2556	schtasks.exe
2816	schtasks.exe
1928	schtasks.exe
2864	schtasks.exe
2400	schtasks.exe
776	schtasks.exe
2824	schtasks.exe
2016	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1788	183CB9283D9C8F6282283BD39F49D33C.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	183CB9283D9C8F6282283BD39F49D33C.exe
Token: SeDebugPrivilege	2568	WmiPrvSE.exe
Token: SeDebugPrivilege	2708	OSPPSVC.exe
Token: SeDebugPrivilege	1268	dwm.exe
Token: SeDebugPrivilege	2904	explorer.exe
Token: SeDebugPrivilege	1276	sppsvc.exe
Token: SeDebugPrivilege	3068	winlogon.exe
Token: SeDebugPrivilege	2820	dllhost.exe
Token: SeDebugPrivilege	1992	OSPPSVC.exe
Token: SeDebugPrivilege	2912	lsass.exe
Token: SeDebugPrivilege	2084	spoolsv.exe
Token: SeDebugPrivilege	2248	WmiPrvSE.exe
Token: SeDebugPrivilege	2712	System.exe
Token: SeDebugPrivilege	1680	dwm.exe
Token: SeDebugPrivilege	2804	csrss.exe
Token: SeDebugPrivilege	1536	OSPPSVC.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2716	1788	183CB9283D9C8F6282283BD39F49D33C.exe	74
PID 1788 wrote to memory of 2716	1788	183CB9283D9C8F6282283BD39F49D33C.exe	74
PID 1788 wrote to memory of 2716	1788	183CB9283D9C8F6282283BD39F49D33C.exe	74
PID 2716 wrote to memory of 304	2716	cmd.exe	76
PID 2716 wrote to memory of 304	2716	cmd.exe	76
PID 2716 wrote to memory of 304	2716	cmd.exe	76
PID 2716 wrote to memory of 2568	2716	cmd.exe	77
PID 2716 wrote to memory of 2568	2716	cmd.exe	77
PID 2716 wrote to memory of 2568	2716	cmd.exe	77
PID 2240 wrote to memory of 2708	2240	taskeng.exe	79
PID 2240 wrote to memory of 2708	2240	taskeng.exe	79
PID 2240 wrote to memory of 2708	2240	taskeng.exe	79
PID 2240 wrote to memory of 1268	2240	taskeng.exe	80
PID 2240 wrote to memory of 1268	2240	taskeng.exe	80
PID 2240 wrote to memory of 1268	2240	taskeng.exe	80
PID 2240 wrote to memory of 2904	2240	taskeng.exe	81
PID 2240 wrote to memory of 2904	2240	taskeng.exe	81
PID 2240 wrote to memory of 2904	2240	taskeng.exe	81
PID 2240 wrote to memory of 1276	2240	taskeng.exe	83
PID 2240 wrote to memory of 1276	2240	taskeng.exe	83
PID 2240 wrote to memory of 1276	2240	taskeng.exe	83
PID 2240 wrote to memory of 1276	2240	taskeng.exe	83
PID 2240 wrote to memory of 1276	2240	taskeng.exe	83
PID 2240 wrote to memory of 3068	2240	taskeng.exe	82
PID 2240 wrote to memory of 3068	2240	taskeng.exe	82
PID 2240 wrote to memory of 3068	2240	taskeng.exe	82
PID 2240 wrote to memory of 1992	2240	taskeng.exe	85
PID 2240 wrote to memory of 1992	2240	taskeng.exe	85
PID 2240 wrote to memory of 1992	2240	taskeng.exe	85
PID 2240 wrote to memory of 2820	2240	taskeng.exe	84
PID 2240 wrote to memory of 2820	2240	taskeng.exe	84
PID 2240 wrote to memory of 2820	2240	taskeng.exe	84
PID 2240 wrote to memory of 2248	2240	taskeng.exe	86
PID 2240 wrote to memory of 2248	2240	taskeng.exe	86
PID 2240 wrote to memory of 2248	2240	taskeng.exe	86
PID 2240 wrote to memory of 2084	2240	taskeng.exe	87
PID 2240 wrote to memory of 2084	2240	taskeng.exe	87
PID 2240 wrote to memory of 2084	2240	taskeng.exe	87
PID 2240 wrote to memory of 2912	2240	taskeng.exe	88
PID 2240 wrote to memory of 2912	2240	taskeng.exe	88
PID 2240 wrote to memory of 2912	2240	taskeng.exe	88
PID 2240 wrote to memory of 2712	2240	taskeng.exe	89
PID 2240 wrote to memory of 2712	2240	taskeng.exe	89
PID 2240 wrote to memory of 2712	2240	taskeng.exe	89
PID 2240 wrote to memory of 1680	2240	taskeng.exe	91
PID 2240 wrote to memory of 1680	2240	taskeng.exe	91
PID 2240 wrote to memory of 1680	2240	taskeng.exe	91
PID 2240 wrote to memory of 2804	2240	taskeng.exe	90
PID 2240 wrote to memory of 2804	2240	taskeng.exe	90
PID 2240 wrote to memory of 2804	2240	taskeng.exe	90
PID 2240 wrote to memory of 1536	2240	taskeng.exe	92
PID 2240 wrote to memory of 1536	2240	taskeng.exe	92
PID 2240 wrote to memory of 1536	2240	taskeng.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\183CB9283D9C8F6282283BD39F49D33C.exe
C:\Users\Admin\AppData\Local\Temp\183CB9283D9C8F6282283BD39F49D33C.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d4Jw7CIQav.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:304
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\security\database\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\database\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\security\database\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Architecture\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Architecture\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\taskeng.exe
taskeng.exe {86663D72-6EAA-4661-98F2-FBDE6AC95236} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Default User\OSPPSVC.exe
  "C:\Users\Default User\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
  C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe
  "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe
  "C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe
  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\Web\Wallpaper\Architecture\dllhost.exe
  C:\Windows\Web\Wallpaper\Architecture\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Default User\OSPPSVC.exe
  "C:\Users\Default User\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
  C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Program Files\DVD Maker\es-ES\spoolsv.exe
  "C:\Program Files\DVD Maker\es-ES\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\MSOCache\All Users\lsass.exe
  "C:\MSOCache\All Users\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe
  C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\csrss.exe
  "C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
  C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Users\Default User\OSPPSVC.exe
  "C:\Users\Default User\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\lsass.exe

Filesize
2.7MB

MD5
32abee195cd4f9f87b2295fbf6bfb371

SHA1
0b31143bfae568a64983569d9394ab6b36fef430

SHA256
7f6f6e1cebc14d8e65ebcbdc98ed5f4f0fce6660cc0206823a3245e690e399cd

SHA512
2592056adef586801926058127877213f0420cb4c5ab27074181beb76cf59be66834d9f567fc4824edcec14452ee444a7b6de4cfda9d5eb46e425f5c05538252

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe

Filesize
2.7MB

MD5
0ebb90a6ed5cfa749d3222aa7990cc5b

SHA1
9afaba8d2485e8a5a8854a529e042934e57b80cf

SHA256
9580e43dc1a3f3d4645039270b197927b90035221b4f28d18ece584e23a7b779

SHA512
bf277be706f5cd8422f82bacb11d46cd5947a1b4f4dea09f3be518a8c21e35f375ef4f02ed87ba67239119c11599c11cec8e0ca41c09aa9227d1b8c1ba676d05

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\csrss.exe

Filesize
2.7MB

MD5
011af877b0c068ec3e86050942662a64

SHA1
0c0cc583d73ba8a299dc8b98935d1c5e1ca43413

SHA256
80c2ae7f7957687e18b5d60700ff9ae08b630bc52ae5de9d336652c2086c1a85

SHA512
2ec11024ba5b4fe7f95db747295e42b56ab31ffacb952fc630dccccf79c39d0556a582157baa9ffcd871867c92334c9d433fbce3c64cdfa0a4d6cffd7a8e4374

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

Filesize
2.7MB

MD5
1eb7fb4e675656d96e9682b748d13a84

SHA1
65baed9470d0997715a4eeb9824c183733ef7b09

SHA256
7fb43363cd1867c8086500491da0b9214f37262676882aaefd58bc3109046660

SHA512
8c93895fb1c02d4583251f194ec213dba9ce9122d0864bb7dbc50cfbbd6c56af0b3f5dfedc1e9b2b8e318a9266910a53aa5cf89ce0d1c844811ccbc7e212728d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4Jw7CIQav.bat

Filesize
226B

MD5
56d159c1d64fd6384196d3ccc2a1f9d6

SHA1
c748560b78e29e63fed96fb99ef814f9215908c5

SHA256
7030728b226e2f465f547ebed420a223cf66873179a549c041742b86b5e4039f

SHA512
4504c16dd75b998761523da24288a1615b8d840e8e48e97fea9ce4e7f0836b83119e06b2b51c1d4e91a189f57b2106c4791da111dc4799365d88b10673e5f231

Download Submit
C:\Users\Default\OSPPSVC.exe

Filesize
2.7MB

MD5
183cb9283d9c8f6282283bd39f49d33c

SHA1
76674564064d31bb9d37f802bdec3821d4a55d89

SHA256
d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

SHA512
14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22

Download Submit
C:\Windows\Web\Wallpaper\Architecture\dllhost.exe

Filesize
2.7MB

MD5
080efa2b430e7e357583dda5db73e592

SHA1
2541f59d762bc1ed91d6f935d30f432e8b6a8513

SHA256
dd61e5c99916e5c5cd2fc38be0fb2a0185689fbd0452fb614ec8832d51d71b00

SHA512
95727d904a661360e81ea28e5bc6bc638b2a1bb8d928ba37397837396b17a1d28b5a2f575363652b27c20a339a53a2872e94994daec4b2359e02b06c56e0a49e

Download Submit
C:\Windows\security\database\winlogon.exe

Filesize
2.7MB

MD5
746fe4efb4fbd675eb7d111caafb4bf6

SHA1
89a59d0ecbf1ff7adf3f021262efcdc6ddfdf0ed

SHA256
269dabc191a206ebc1fe6617cb0ee9cab6eabe0f646d1c8284488f38e3b1832c

SHA512
68d71cdd9edbe4c9392064bf53c56b31bd1ec921bb43be76f59c254ffe28ee58cd6e775b716708300aa3ff429c3b8dc63a717bc58ff8c4fd681757f0b51acf2f

Download Submit
memory/1268-254-0x0000000000E50000-0x0000000001104000-memory.dmp

Filesize
2.7MB

Download
memory/1276-262-0x0000000000D60000-0x0000000001014000-memory.dmp

Filesize
2.7MB

Download
memory/1788-4-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/1788-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1788-12-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/1788-13-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/1788-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1788-15-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1788-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/1788-17-0x0000000000E40000-0x0000000000E4E000-memory.dmp

Filesize
56KB

Download
memory/1788-18-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/1788-19-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/1788-220-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-7-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/1788-8-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1788-6-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1788-5-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1788-9-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1788-11-0x0000000000C40000-0x0000000000C96000-memory.dmp

Filesize
344KB

Download
memory/1788-203-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1788-20-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/1788-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-1-0x0000000001170000-0x0000000001424000-memory.dmp

Filesize
2.7MB

Download
memory/1788-10-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/1788-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1992-268-0x0000000000BB0000-0x0000000000E64000-memory.dmp

Filesize
2.7MB

Download
memory/2084-275-0x0000000000B10000-0x0000000000DC4000-memory.dmp

Filesize
2.7MB

Download
memory/2568-225-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2568-224-0x0000000001220000-0x00000000014D4000-memory.dmp

Filesize
2.7MB

Download
memory/2708-251-0x00000000000E0000-0x0000000000394000-memory.dmp

Filesize
2.7MB

Download
memory/2712-278-0x0000000000200000-0x00000000004B4000-memory.dmp

Filesize
2.7MB

Download
memory/2804-282-0x0000000000BF0000-0x0000000000EA4000-memory.dmp

Filesize
2.7MB

Download
memory/2820-267-0x0000000000DB0000-0x0000000001064000-memory.dmp

Filesize
2.7MB

Download
memory/2904-257-0x0000000000EF0000-0x00000000011A4000-memory.dmp

Filesize
2.7MB

Download
memory/2912-274-0x0000000000A30000-0x0000000000CE4000-memory.dmp

Filesize
2.7MB

Download
memory/3068-263-0x0000000000C80000-0x0000000000F34000-memory.dmp

Filesize
2.7MB

Download