dcrat | e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Size

1.5MB
MD5

d36cc4a093e0bc7ca5a9342ab6012419
SHA1

ce5387ec8626e899804182655ad84ed339771ed1
SHA256

e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1
SHA512

df08e46279f1726a78b73b2191b7e878512e84520eed04f5b45aa14553447e216bf9b3a44d0478947d340ced9c434b7526266b4380f0fe16196eb8da5c8206be
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\Cursors\55b276f4edf653		e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
		2596	schtasks.exe
		4936	schtasks.exe
		560	schtasks.exe
		2716	schtasks.exe
		4512	schtasks.exe
		1136	schtasks.exe
		544	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\csrss.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\", \"C:\\Users\\Public\\Desktop\\dwm.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\csrss.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\", \"C:\\Users\\Public\\Desktop\\dwm.exe\", \"C:\\Windows\\System32\\mfc110kor\\SppExtComObj.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\csrss.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\", \"C:\\Users\\Public\\Desktop\\dwm.exe\", \"C:\\Windows\\System32\\mfc110kor\\SppExtComObj.exe\", \"C:\\Windows\\System32\\KBDHELA2\\dwm.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\csrss.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\", \"C:\\Users\\Public\\Desktop\\dwm.exe\", \"C:\\Windows\\System32\\mfc110kor\\SppExtComObj.exe\", \"C:\\Windows\\System32\\KBDHELA2\\dwm.exe\", \"C:\\Windows\\System32\\RemoteSystemToastIcon.contrast-white\\RuntimeBroker.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\csrss.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\csrss.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	2244	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2244	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2244	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2244	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2244	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2244	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2244	schtasks.exe	82

UAC bypass 3 TTPs 51 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3184	powershell.exe
2000	powershell.exe
4544	powershell.exe
1668	powershell.exe
680	powershell.exe
1460	powershell.exe
4496	powershell.exe
1656	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 16 IoCs

pid	Process
4464	SppExtComObj.exe
4876	SppExtComObj.exe
4172	SppExtComObj.exe
1816	SppExtComObj.exe
4416	SppExtComObj.exe
4228	SppExtComObj.exe
5076	SppExtComObj.exe
2692	SppExtComObj.exe
4680	SppExtComObj.exe
2304	SppExtComObj.exe
4832	SppExtComObj.exe
3180	SppExtComObj.exe
1020	SppExtComObj.exe
1276	SppExtComObj.exe
4780	SppExtComObj.exe
3348	SppExtComObj.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\csrss.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Desktop\\dwm.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\mfc110kor\\SppExtComObj.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\KBDHELA2\\dwm.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\mfc110kor\\SppExtComObj.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\RemoteSystemToastIcon.contrast-white\\RuntimeBroker.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Cursors\\StartMenuExperienceHost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Desktop\\dwm.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\KBDHELA2\\dwm.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\csrss.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\MSBuild\\Microsoft\\Registry.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\RemoteSystemToastIcon.contrast-white\\RuntimeBroker.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\mfc110kor\RCXBEB1.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\RemoteSystemToastIcon.contrast-white\RCXC2BB.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\mfc110kor\SppExtComObj.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\mfc110kor\e1ef82546f0b02	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\KBDHELA2\dwm.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\mfc110kor\SppExtComObj.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\KBDHELA2\RCXC0B6.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\KBDHELA2\dwm.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\RemoteSystemToastIcon.contrast-white\RuntimeBroker.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\KBDHELA2\6cb0b6c459d5d3	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\RemoteSystemToastIcon.contrast-white\RuntimeBroker.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\RemoteSystemToastIcon.contrast-white\9e8d7a4ca61bd9	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\ee2ad38f3d4382	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXB7C9.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\csrss.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXBA3B.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Registry.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Program Files (x86)\Microsoft\csrss.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Program Files (x86)\Microsoft\886983d96e3d3e	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Program Files\MSBuild\Microsoft\Registry.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\StartMenuExperienceHost.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\Cursors\55b276f4edf653	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\Cursors\RCXB557.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\Cursors\StartMenuExperienceHost.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
544	schtasks.exe
560	schtasks.exe
2596	schtasks.exe
4936	schtasks.exe
2716	schtasks.exe
4512	schtasks.exe
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
4544	powershell.exe
3184	powershell.exe
3184	powershell.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1656	powershell.exe
1656	powershell.exe
1668	powershell.exe
1668	powershell.exe
1460	powershell.exe
1460	powershell.exe
4544	powershell.exe
4544	powershell.exe
4496	powershell.exe
4496	powershell.exe
680	powershell.exe
680	powershell.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
2000	powershell.exe
2000	powershell.exe
3184	powershell.exe
1668	powershell.exe
1460	powershell.exe
1656	powershell.exe
4496	powershell.exe
3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
680	powershell.exe
2000	powershell.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe
4464	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	4464	SppExtComObj.exe
Token: SeDebugPrivilege	4876	SppExtComObj.exe
Token: SeDebugPrivilege	4172	SppExtComObj.exe
Token: SeDebugPrivilege	1816	SppExtComObj.exe
Token: SeDebugPrivilege	4416	SppExtComObj.exe
Token: SeDebugPrivilege	4228	SppExtComObj.exe
Token: SeDebugPrivilege	5076	SppExtComObj.exe
Token: SeDebugPrivilege	2692	SppExtComObj.exe
Token: SeDebugPrivilege	4680	SppExtComObj.exe
Token: SeDebugPrivilege	2304	SppExtComObj.exe
Token: SeDebugPrivilege	4832	SppExtComObj.exe
Token: SeDebugPrivilege	3180	SppExtComObj.exe
Token: SeDebugPrivilege	1020	SppExtComObj.exe
Token: SeDebugPrivilege	1276	SppExtComObj.exe
Token: SeDebugPrivilege	4780	SppExtComObj.exe
Token: SeDebugPrivilege	3348	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2000	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	93
PID 3356 wrote to memory of 2000	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	93
PID 3356 wrote to memory of 4544	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	94
PID 3356 wrote to memory of 4544	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	94
PID 3356 wrote to memory of 1668	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	95
PID 3356 wrote to memory of 1668	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	95
PID 3356 wrote to memory of 680	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	96
PID 3356 wrote to memory of 680	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	96
PID 3356 wrote to memory of 1460	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	97
PID 3356 wrote to memory of 1460	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	97
PID 3356 wrote to memory of 4496	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	98
PID 3356 wrote to memory of 4496	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	98
PID 3356 wrote to memory of 1656	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	99
PID 3356 wrote to memory of 1656	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	99
PID 3356 wrote to memory of 3184	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	100
PID 3356 wrote to memory of 3184	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	100
PID 3356 wrote to memory of 4464	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	109
PID 3356 wrote to memory of 4464	3356	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	109
PID 4464 wrote to memory of 4964	4464	SppExtComObj.exe	110
PID 4464 wrote to memory of 4964	4464	SppExtComObj.exe	110
PID 4464 wrote to memory of 4608	4464	SppExtComObj.exe	111
PID 4464 wrote to memory of 4608	4464	SppExtComObj.exe	111
PID 4964 wrote to memory of 4876	4964	WScript.exe	116
PID 4964 wrote to memory of 4876	4964	WScript.exe	116
PID 4876 wrote to memory of 5072	4876	SppExtComObj.exe	117
PID 4876 wrote to memory of 5072	4876	SppExtComObj.exe	117
PID 4876 wrote to memory of 2128	4876	SppExtComObj.exe	118
PID 4876 wrote to memory of 2128	4876	SppExtComObj.exe	118
PID 5072 wrote to memory of 4172	5072	WScript.exe	120
PID 5072 wrote to memory of 4172	5072	WScript.exe	120
PID 4172 wrote to memory of 2040	4172	SppExtComObj.exe	121
PID 4172 wrote to memory of 2040	4172	SppExtComObj.exe	121
PID 4172 wrote to memory of 3252	4172	SppExtComObj.exe	122
PID 4172 wrote to memory of 3252	4172	SppExtComObj.exe	122
PID 2040 wrote to memory of 1816	2040	WScript.exe	124
PID 2040 wrote to memory of 1816	2040	WScript.exe	124
PID 1816 wrote to memory of 3280	1816	SppExtComObj.exe	125
PID 1816 wrote to memory of 3280	1816	SppExtComObj.exe	125
PID 1816 wrote to memory of 2000	1816	SppExtComObj.exe	126
PID 1816 wrote to memory of 2000	1816	SppExtComObj.exe	126
PID 3280 wrote to memory of 4416	3280	WScript.exe	127
PID 3280 wrote to memory of 4416	3280	WScript.exe	127
PID 4416 wrote to memory of 4460	4416	SppExtComObj.exe	128
PID 4416 wrote to memory of 4460	4416	SppExtComObj.exe	128
PID 4416 wrote to memory of 3200	4416	SppExtComObj.exe	129
PID 4416 wrote to memory of 3200	4416	SppExtComObj.exe	129
PID 4460 wrote to memory of 4228	4460	WScript.exe	130
PID 4460 wrote to memory of 4228	4460	WScript.exe	130
PID 4228 wrote to memory of 1848	4228	SppExtComObj.exe	131
PID 4228 wrote to memory of 1848	4228	SppExtComObj.exe	131
PID 4228 wrote to memory of 3928	4228	SppExtComObj.exe	132
PID 4228 wrote to memory of 3928	4228	SppExtComObj.exe	132
PID 1848 wrote to memory of 5076	1848	WScript.exe	133
PID 1848 wrote to memory of 5076	1848	WScript.exe	133
PID 5076 wrote to memory of 1456	5076	SppExtComObj.exe	134
PID 5076 wrote to memory of 1456	5076	SppExtComObj.exe	134
PID 5076 wrote to memory of 3184	5076	SppExtComObj.exe	135
PID 5076 wrote to memory of 3184	5076	SppExtComObj.exe	135
PID 1456 wrote to memory of 2692	1456	WScript.exe	136
PID 1456 wrote to memory of 2692	1456	WScript.exe	136
PID 2692 wrote to memory of 4440	2692	SppExtComObj.exe	137
PID 2692 wrote to memory of 4440	2692	SppExtComObj.exe	137
PID 2692 wrote to memory of 1804	2692	SppExtComObj.exe	138
PID 2692 wrote to memory of 1804	2692	SppExtComObj.exe	138

System policy modification 1 TTPs 51 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
"C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc110kor\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDHELA2\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\RemoteSystemToastIcon.contrast-white\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\mfc110kor\SppExtComObj.exe
  "C:\Windows\System32\mfc110kor\SppExtComObj.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3decb2dd-640a-4212-906b-c00c698bebb0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\mfc110kor\SppExtComObj.exe
      C:\Windows\System32\mfc110kor\SppExtComObj.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4876
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1e4e7d7-faef-4968-bc84-bb37ecaa36cc.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3390f92a-225d-49f2-a653-bdcf722266fd.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16bb47fa-e7fa-472f-880c-a42feb0e96bf.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\378200ae-29cd-43c2-8f07-6158b2fab079.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\899e3868-c43e-4fb9-8b85-6268b8a4ad14.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0920e4a3-563a-4905-8439-c4375998ba67.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b33e68-039d-4af1-9917-5f69a80b4d2b.vbs"
        17⤵
        
        PID:4440
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9717ccd1-06fc-47cc-8279-7db2a158039e.vbs"
        19⤵
        
        PID:5104
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\270dd4aa-5d21-46f1-b709-62410b1d0499.vbs"
        21⤵
        
        PID:552
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fcab5a5-f5dc-46f1-bb7a-3698ded7f0da.vbs"
        23⤵
        
        PID:2884
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af3131b2-e459-4636-9303-88d9f30ad175.vbs"
        25⤵
        
        PID:4004
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7022bd0-11e2-4e78-898c-e7ecaf8fcc68.vbs"
        27⤵
        
        PID:4476
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1714a8b1-3573-419b-ab19-2c16c6610d55.vbs"
        29⤵
        
        PID:2016
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2b8be88-cd5c-47f1-9861-508450197fc4.vbs"
        31⤵
        
        PID:5048
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        
        C:\Windows\System32\mfc110kor\SppExtComObj.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c3577c7-eada-42da-9032-6bcb4ac02d3f.vbs"
        33⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eae1f92-d96d-433e-a955-8266d07835ba.vbs"
        33⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bd42db0-9828-4ea9-bcd5-d2742cd2968f.vbs"
        31⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76148fb4-8e23-4e07-80cc-2409d703973d.vbs"
        29⤵
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2a95e19-398b-4bb5-a3b8-8fd689dd4ba4.vbs"
        27⤵
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0de467e-6b5b-4a70-b9fe-24281075822b.vbs"
        25⤵
        
        PID:3540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27303192-9aec-4ee7-9c2e-1ee80a29b0a4.vbs"
        23⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5d5f1bd-06f8-40f7-b548-ba86b5167d3d.vbs"
        21⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf50ee4c-d6fd-4103-8741-8cd2d72f9958.vbs"
        19⤵
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2186906a-566d-4412-8bdf-154fab9181fb.vbs"
        17⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93459b80-2b5f-4c03-948e-dee359e81f9e.vbs"
        15⤵
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\632ee623-a3a1-4b19-a98e-477bd3fa1736.vbs"
        13⤵
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\338fd728-e9fa-4942-b110-2f676632a030.vbs"
        11⤵
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93caa16d-bcc9-4764-bc63-f6f33a85287e.vbs"
        9⤵
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\761b22f5-5532-4b4c-8a6b-1108a769b315.vbs"
        7⤵
        
        PID:3252
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\733d299f-9cf0-4701-bc71-ddc14e062271.vbs"
        5⤵
        
        PID:2128
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54988067-ae88-4c65-b87c-1b798b80cf34.vbs"
    3⤵
    PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Cursors\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\mfc110kor\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\KBDHELA2\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\RemoteSystemToastIcon.contrast-white\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\0920e4a3-563a-4905-8439-c4375998ba67.vbs

Filesize
722B

MD5
c37c5611c70515a36ecc27724034d089

SHA1
a1bb429bf7f543f58ecf7b8a516c355c3a5ea60a

SHA256
cdb50786acca67ab094d8452b5d6aea818172ce5ee85f9a91181c4f6c0222663

SHA512
37eba3e934c2f278fd1e3f4de0041ee60497a41483ea8bc3b87c3fde75f67bf84314728bbc3651e3e3b670ea20e0ff5c2b265cd50ee9966f538169a8d5548ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\16bb47fa-e7fa-472f-880c-a42feb0e96bf.vbs

Filesize
722B

MD5
37df8d354522425aed1869574355ac5b

SHA1
a2c66b92e0adafeda68592fa2fee194f19c5f3e6

SHA256
cfe4b1eb161434add1e604c30ccb1956dd2944f406d47c512e1b7d5ebf4c855e

SHA512
c749bb728a227af3f73935e6434b3f2eb76bd064734626f659ba7f45c64131d43f2a941b675ce5af96185d8ad1b39b5ef0cc357c674347598d61bc52a3de9aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1714a8b1-3573-419b-ab19-2c16c6610d55.vbs

Filesize
722B

MD5
66bd05d8315eabfa6691712ecd35c387

SHA1
13266ab655f0623e1aa5d925ce006898c397927a

SHA256
b7c401b430949e2c5491c413bb8d735b13d8f9e20129f9f7b2f72681006efbd3

SHA512
c91ef6dd24c1fe2ef2e22387852cf730ba7ea00c7968b9426440c8d8967c46990389320a4821460d0710a263b0b6c834bd19c4385626d99d6f985105d8f78cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\270dd4aa-5d21-46f1-b709-62410b1d0499.vbs

Filesize
722B

MD5
20697b5ac1f57373971c6a85aa262fad

SHA1
1ca057cb3ac0430b26c64e5696abaa9f0097222a

SHA256
dfed382d977b9a93117bd78a6f9c83730079737dab4286dd5cd6dcb3bca63e0b

SHA512
d9f5b7a2c956b1b9e08b73555a712b2f1d353a1f2a0e3bded066f8a3f47ea7cd38d38dffd512abc960228a8b90eb01142be63dc58990dc06b96c14cfad4761e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3390f92a-225d-49f2-a653-bdcf722266fd.vbs

Filesize
722B

MD5
9f986872f900b1d4f6b7a10ada0d356b

SHA1
d94e3139370d1aa2b37bdb2f26443d5d1047e293

SHA256
c91c93f4e7f91f217444581ed04d7b174176b45f1b18d95175a10e074580db91

SHA512
44e72d3ce8f315eab2a503f595a9b1ccf453c794bbf69cdc7e0f9d566e22d76cacb669dbf5f7f0c34971ca7b46cc339da81cb9e4f6477ae56d277f40bf99f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\378200ae-29cd-43c2-8f07-6158b2fab079.vbs

Filesize
722B

MD5
0d3b89e427d5f3ce478f8c1a062a9f66

SHA1
671c1b9333f2e82bdeeb1625122324f1435c3dca

SHA256
e45cb39ddbdffa13832b9fab65957382807eb580006f302e4cb36fe6e151acab

SHA512
3d0cdfe40b2c3ebdec3160637aad03be168aeed3d96dd466d4c23189891af5c45a0458f211042a84218471363b0cf82f42a600147074efcadd207f340850d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3decb2dd-640a-4212-906b-c00c698bebb0.vbs

Filesize
722B

MD5
be6fc64bd562861d6b1c6ae26a8fedd2

SHA1
cd68ae089f9085cd19905927a24cff4112a5951c

SHA256
cbaa397ef658faf9fe659b6db00d06d0c209df8fa2241a6dec558fb5435725d0

SHA512
e0e1707e8ea75a8699f153b5b59291f421e92a5c0437c7d2c280c2ce6cb8ebfe84b528b71b7b6857e9ebc946eba8c40200c5283dc311182740f8f567f656741e

Download Submit
C:\Users\Admin\AppData\Local\Temp\54988067-ae88-4c65-b87c-1b798b80cf34.vbs

Filesize
498B

MD5
a16b524206aef7eb09e0f336a2ede5a5

SHA1
355a44c0b1291b5771f20e485e259a85def2d807

SHA256
3cfd85471f1a0bc0a27806224750edf277761f5d3c1b4d275c0dadbd8ef41eee

SHA512
318874891218f2d5f2bbc535be3b2633d9d354a9168fa027efd600f41c503cf64ea1ec326cb42314565c864a7fda6caa8db147a7cddb85191e2de470f9f240eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fcab5a5-f5dc-46f1-bb7a-3698ded7f0da.vbs

Filesize
722B

MD5
3026056621929a8691944af48fdabf3d

SHA1
7eca240f35726819d1bf096636663bfd0571df76

SHA256
1227535bc09091599b241dbe49bd5b32e05ff75501cdbd7490d486bfd00cff67

SHA512
fb1d8ba67b7c215ae7b4f8e06aff960761feea9eb558a190c6f1c7d026e81ebd7ba3223c39c90918a884da36f6b47e20bb6629ed6ff2a13f40a0502fded3db9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\899e3868-c43e-4fb9-8b85-6268b8a4ad14.vbs

Filesize
722B

MD5
8fb40a3643ece0866fdf2f31e9c7e5cd

SHA1
697b18d0efb1365888d7324075841ec72d301a6a

SHA256
3fc5f06b1bf67e5153d9d406c2d9ce670bdefef19813262df3590932ba20794f

SHA512
9cac3851c123f3fcfadfbfd06dba8580e931dbe0871f4f9b0cbe680c037be9dc0da11f6b222e657f928c0561e50ea27d9aee30a3d75cad39c508da8c23f13409

Download Submit
C:\Users\Admin\AppData\Local\Temp\9717ccd1-06fc-47cc-8279-7db2a158039e.vbs

Filesize
722B

MD5
2a2fe13bc8648f96f70358eb376d069b

SHA1
6beeb67a46a106d1def5aba50453984c3e6606cf

SHA256
c2d891706717f899d5e770cf3f7b2ad2352286cbc854d7dea4a8262931289ab5

SHA512
b05200d6fadd61d70ec89dc60eabb53e8834e2487330f1b1e33740a9c0fff339f4eb253d7613ab8ae3917466535c58acc7086c8ffb34d56bf6fe1c871d1e1e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvxfnbfr.vw1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\af3131b2-e459-4636-9303-88d9f30ad175.vbs

Filesize
722B

MD5
013b773a4c182bd46a412558e72dbfa2

SHA1
3cc43037958dadd98c1a85b562b0876819d06bb7

SHA256
d86a651211393b719bbb9ef01d7dc579422e677147b4d66fae20fddb8bf64d98

SHA512
239b971b32c9430a0ba2727ba932aa7586b0aa0480376cad8b762b3f52f9d392a91bea872c2fbcfe508590716001c9d22559bc09e22706717e95bff2e40fbe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1b33e68-039d-4af1-9917-5f69a80b4d2b.vbs

Filesize
722B

MD5
b27685711a9bb9253ec03db7767e5ffc

SHA1
8c158e54138563d3102940169cbae541b07187ed

SHA256
4e23d0c565d4500f78f0977a6f05b1521592ac965f2b8817858d872e30ea790b

SHA512
26e191eb125b0447a224a64cadcb9f1667c119fcc2ace3231c635975fb96190fba99f650fe45af893215ec98fa24477e6a99689b5008e4e3f97000adca3745d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1e4e7d7-faef-4968-bc84-bb37ecaa36cc.vbs

Filesize
722B

MD5
54ecfed6ed7099d17383d5045dfd65aa

SHA1
5cd2ac7ca5387714a77da3c2cebc06521466db6c

SHA256
8583ecf166f4f4eba99b5712ef955dc24fbaffe17e31569f0478cd5897fb1bec

SHA512
c9f2a3cb91e517db16b87ad67d8f9ca131a99cd6270a39ec7f06b90ee183936314a33a2eaf8cebbc15bce93864d4da279957298d67132048c940570dd6611a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7022bd0-11e2-4e78-898c-e7ecaf8fcc68.vbs

Filesize
722B

MD5
e334d1a79fe7455859167927d1ecb4b8

SHA1
a4b9d2429645efa0f47628184db79ec60edaa31d

SHA256
2dbe016e6db3aa497252b6b4d51afac2149fd1bf3cf62650a3dddcde69571c40

SHA512
6cbff8ee0fd0280700109943b1832947b6cd16920d63be9d10b345ad78caa5b98d6cb0122291cdd7340725806f827c56723ec96c486a731da32dcd4a940b8eab

Download Submit
C:\Windows\System32\mfc110kor\SppExtComObj.exe

Filesize
1.5MB

MD5
d36cc4a093e0bc7ca5a9342ab6012419

SHA1
ce5387ec8626e899804182655ad84ed339771ed1

SHA256
e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1

SHA512
df08e46279f1726a78b73b2191b7e878512e84520eed04f5b45aa14553447e216bf9b3a44d0478947d340ced9c434b7526266b4380f0fe16196eb8da5c8206be

Download Submit
memory/3180-364-0x0000000001270000-0x0000000001282000-memory.dmp

Filesize
72KB

Download
memory/3348-404-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

Filesize
72KB

Download
memory/3356-13-0x0000000003170000-0x000000000317A000-memory.dmp

Filesize
40KB

Download
memory/3356-14-0x0000000003180000-0x000000000318C000-memory.dmp

Filesize
48KB

Download
memory/3356-219-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-1-0x0000000000E30000-0x0000000000FAE000-memory.dmp

Filesize
1.5MB

Download
memory/3356-25-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-24-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-21-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/3356-20-0x00000000031D0000-0x00000000031DC000-memory.dmp

Filesize
48KB

Download
memory/3356-18-0x00000000031C0000-0x00000000031C8000-memory.dmp

Filesize
32KB

Download
memory/3356-17-0x00000000031B0000-0x00000000031BC000-memory.dmp

Filesize
48KB

Download
memory/3356-2-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-16-0x00000000031A0000-0x00000000031A8000-memory.dmp

Filesize
32KB

Download
memory/3356-15-0x0000000003190000-0x000000000319A000-memory.dmp

Filesize
40KB

Download
memory/3356-4-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/3356-3-0x0000000001A00000-0x0000000001A08000-memory.dmp

Filesize
32KB

Download
memory/3356-5-0x00000000030F0000-0x00000000030FC000-memory.dmp

Filesize
48KB

Download
memory/3356-0-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/3356-12-0x0000000003160000-0x0000000003168000-memory.dmp

Filesize
32KB

Download
memory/3356-11-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/3356-6-0x00000000030E0000-0x00000000030EA000-memory.dmp

Filesize
40KB

Download
memory/3356-10-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3356-9-0x0000000003130000-0x000000000313C000-memory.dmp

Filesize
48KB

Download
memory/3356-8-0x0000000003120000-0x0000000003128000-memory.dmp

Filesize
32KB

Download
memory/3356-7-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/4172-263-0x0000000002CF0000-0x0000000002D02000-memory.dmp

Filesize
72KB

Download
memory/4464-248-0x000000001C4C0000-0x000000001C5C2000-memory.dmp

Filesize
1.0MB

Download
memory/4464-220-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4544-140-0x000002A05B250000-0x000002A05B272000-memory.dmp

Filesize
136KB

Download
memory/4780-396-0x0000000002A60000-0x0000000002A72000-memory.dmp

Filesize
72KB

Download
memory/4876-261-0x000000001B990000-0x000000001BA92000-memory.dmp

Filesize
1.0MB

Download
memory/5076-308-0x0000000001AF0000-0x0000000001B02000-memory.dmp

Filesize
72KB

Download