dcrat | e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/01/2025, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Size

1.5MB
MD5

d36cc4a093e0bc7ca5a9342ab6012419
SHA1

ce5387ec8626e899804182655ad84ed339771ed1
SHA256

e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1
SHA512

df08e46279f1726a78b73b2191b7e878512e84520eed04f5b45aa14553447e216bf9b3a44d0478947d340ced9c434b7526266b4380f0fe16196eb8da5c8206be
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2764	schtasks.exe
		2680	schtasks.exe
		2656	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\recovery\6203df4a6bafc7		e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
		2760	schtasks.exe
		2808	schtasks.exe
		2660	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\", \"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\", \"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\", \"C:\\Users\\All Users\\lsass.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\recovery\\lsass.exe\", \"C:\\Windows\\System32\\sdengin2\\taskhost.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\", \"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\", \"C:\\Users\\All Users\\lsass.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2820	schtasks.exe	30

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
596	powershell.exe
328	powershell.exe
2612	powershell.exe
2916	powershell.exe
2036	powershell.exe
2164	powershell.exe
1084	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Executes dropped EXE 14 IoCs

pid	Process
1560	taskhost.exe
2460	taskhost.exe
668	taskhost.exe
2264	taskhost.exe
1392	taskhost.exe
2692	taskhost.exe
2688	taskhost.exe
2368	taskhost.exe
1652	taskhost.exe
1436	taskhost.exe
2268	taskhost.exe
2828	taskhost.exe
1640	taskhost.exe
3048	taskhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\recovery\\lsass.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\it-IT\\csrss.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\lsass.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\recovery\\lsass.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sdengin2\\taskhost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sdengin2\\taskhost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\SearchProtocolHost\\taskhost.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\lsass.exe\""	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\recovery\RCXBB45.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\sdengin2\RCXBD49.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\SearchProtocolHost\RCXC150.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\recovery\lsass.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\recovery\6203df4a6bafc7	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\sdengin2\taskhost.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\sdengin2\b75386f1303e64	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\SearchProtocolHost\b75386f1303e64	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\SearchProtocolHost\taskhost.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\recovery\lsass.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Windows\System32\SearchProtocolHost\taskhost.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Windows\System32\sdengin2\taskhost.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\1610b97d3ab4a7	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCXBF4C.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\csrss.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\RCXC5C5.tmp	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Program Files\Windows Journal\it-IT\csrss.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Program Files\Windows Journal\it-IT\886983d96e3d3e	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
2808	schtasks.exe
2660	schtasks.exe
2764	schtasks.exe
2680	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
328	powershell.exe
2916	powershell.exe
596	powershell.exe
1084	powershell.exe
2036	powershell.exe
2612	powershell.exe
2164	powershell.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe
1560	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1560	taskhost.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2460	taskhost.exe
Token: SeDebugPrivilege	668	taskhost.exe
Token: SeDebugPrivilege	2264	taskhost.exe
Token: SeDebugPrivilege	1392	taskhost.exe
Token: SeDebugPrivilege	2692	taskhost.exe
Token: SeDebugPrivilege	2688	taskhost.exe
Token: SeDebugPrivilege	2368	taskhost.exe
Token: SeDebugPrivilege	1652	taskhost.exe
Token: SeDebugPrivilege	1436	taskhost.exe
Token: SeDebugPrivilege	2268	taskhost.exe
Token: SeDebugPrivilege	2828	taskhost.exe
Token: SeDebugPrivilege	1640	taskhost.exe
Token: SeDebugPrivilege	3048	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2036	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	37
PID 1872 wrote to memory of 2036	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	37
PID 1872 wrote to memory of 2036	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	37
PID 1872 wrote to memory of 2164	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	38
PID 1872 wrote to memory of 2164	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	38
PID 1872 wrote to memory of 2164	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	38
PID 1872 wrote to memory of 1084	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	39
PID 1872 wrote to memory of 1084	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	39
PID 1872 wrote to memory of 1084	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	39
PID 1872 wrote to memory of 596	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	40
PID 1872 wrote to memory of 596	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	40
PID 1872 wrote to memory of 596	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	40
PID 1872 wrote to memory of 328	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	41
PID 1872 wrote to memory of 328	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	41
PID 1872 wrote to memory of 328	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	41
PID 1872 wrote to memory of 2612	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	42
PID 1872 wrote to memory of 2612	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	42
PID 1872 wrote to memory of 2612	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	42
PID 1872 wrote to memory of 2916	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	43
PID 1872 wrote to memory of 2916	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	43
PID 1872 wrote to memory of 2916	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	43
PID 1872 wrote to memory of 1560	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	51
PID 1872 wrote to memory of 1560	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	51
PID 1872 wrote to memory of 1560	1872	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe	51
PID 1560 wrote to memory of 2540	1560	taskhost.exe	53
PID 1560 wrote to memory of 2540	1560	taskhost.exe	53
PID 1560 wrote to memory of 2540	1560	taskhost.exe	53
PID 1560 wrote to memory of 2500	1560	taskhost.exe	54
PID 1560 wrote to memory of 2500	1560	taskhost.exe	54
PID 1560 wrote to memory of 2500	1560	taskhost.exe	54
PID 2540 wrote to memory of 2460	2540	WScript.exe	55
PID 2540 wrote to memory of 2460	2540	WScript.exe	55
PID 2540 wrote to memory of 2460	2540	WScript.exe	55
PID 2460 wrote to memory of 2632	2460	taskhost.exe	56
PID 2460 wrote to memory of 2632	2460	taskhost.exe	56
PID 2460 wrote to memory of 2632	2460	taskhost.exe	56
PID 2460 wrote to memory of 2364	2460	taskhost.exe	57
PID 2460 wrote to memory of 2364	2460	taskhost.exe	57
PID 2460 wrote to memory of 2364	2460	taskhost.exe	57
PID 2632 wrote to memory of 668	2632	WScript.exe	58
PID 2632 wrote to memory of 668	2632	WScript.exe	58
PID 2632 wrote to memory of 668	2632	WScript.exe	58
PID 668 wrote to memory of 2108	668	taskhost.exe	59
PID 668 wrote to memory of 2108	668	taskhost.exe	59
PID 668 wrote to memory of 2108	668	taskhost.exe	59
PID 668 wrote to memory of 1440	668	taskhost.exe	60
PID 668 wrote to memory of 1440	668	taskhost.exe	60
PID 668 wrote to memory of 1440	668	taskhost.exe	60
PID 2108 wrote to memory of 2264	2108	WScript.exe	61
PID 2108 wrote to memory of 2264	2108	WScript.exe	61
PID 2108 wrote to memory of 2264	2108	WScript.exe	61
PID 2264 wrote to memory of 1748	2264	taskhost.exe	62
PID 2264 wrote to memory of 1748	2264	taskhost.exe	62
PID 2264 wrote to memory of 1748	2264	taskhost.exe	62
PID 2264 wrote to memory of 2996	2264	taskhost.exe	63
PID 2264 wrote to memory of 2996	2264	taskhost.exe	63
PID 2264 wrote to memory of 2996	2264	taskhost.exe	63
PID 1748 wrote to memory of 1392	1748	WScript.exe	64
PID 1748 wrote to memory of 1392	1748	WScript.exe	64
PID 1748 wrote to memory of 1392	1748	WScript.exe	64
PID 1392 wrote to memory of 1048	1392	taskhost.exe	65
PID 1392 wrote to memory of 1048	1392	taskhost.exe	65
PID 1392 wrote to memory of 1048	1392	taskhost.exe	65
PID 1392 wrote to memory of 1596	1392	taskhost.exe	66

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe
"C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\recovery\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sdengin2\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SearchProtocolHost\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\sdengin2\taskhost.exe
  "C:\Windows\System32\sdengin2\taskhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1560
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed56dd5f-b624-4bad-bdc7-31e2fa8db77a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\System32\sdengin2\taskhost.exe
      C:\Windows\System32\sdengin2\taskhost.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a982427-2912-4480-8cf6-77cccfe4a1c6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69435a10-2962-4a3e-90f4-82c9a00eb21c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76f1b4e-2014-4ca3-9042-048123548d67.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\439c28c0-4602-4032-b5ca-78f8a374d8e4.vbs"
        11⤵
        
        PID:1048
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cb4f6f-3e79-4e43-af2b-6f9914244354.vbs"
        13⤵
        
        PID:3052
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a45811b-9da9-4ec7-9ab5-df08298dc830.vbs"
        15⤵
        
        PID:2824
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400902c3-2834-4df9-98b8-161884ba6e51.vbs"
        17⤵
        
        PID:1660
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fce44b0-81d2-419b-82bf-b7ed8c9fb92c.vbs"
        19⤵
        
        PID:2964
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4311002d-500a-4246-b85d-75a805b6f785.vbs"
        21⤵
        
        PID:1764
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67732edb-db2e-463e-8d39-e39d4a2541e7.vbs"
        23⤵
        
        PID:1708
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e46a4a-9dd8-4f72-a8cd-cb60649be199.vbs"
        25⤵
        
        PID:2976
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f47ba78-b36a-4c55-a324-d8e26620060e.vbs"
        27⤵
        
        PID:596
        
        C:\Windows\System32\sdengin2\taskhost.exe
        
        C:\Windows\System32\sdengin2\taskhost.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e248c018-1c06-41a3-872d-d0398e8c1028.vbs"
        29⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e530b9e7-d23a-4b0f-b49a-4bad55a0d19d.vbs"
        29⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aea21bac-cff9-417f-969e-9154e9592729.vbs"
        27⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01bdd3fa-b8f3-4875-a02b-9aad2225762e.vbs"
        25⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6060ea0e-84d3-4153-8eb6-7dacb066575f.vbs"
        23⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3c41e6-21f0-4ca0-938e-a41a16563c4d.vbs"
        21⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c678fb-abaf-479f-a069-df4987faad45.vbs"
        19⤵
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f191819a-5ee7-4de9-a190-e2e829a7cb72.vbs"
        17⤵
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b0fef7d-8ff9-4c7b-8305-2966653688cc.vbs"
        15⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418a2d1c-a2f8-4f4e-9a47-4cb9bb76db11.vbs"
        13⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b3a3616-8b98-4154-bd60-b2e2d55e1bec.vbs"
        11⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74664bfd-70d6-421c-9796-7f414ccae981.vbs"
        9⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca7d13fb-df7f-4b3b-a76a-c219e5e4c139.vbs"
        7⤵
        
        PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0bc5f22-a532-4e98-9063-92e49722a0ff.vbs"
        5⤵
        
        PID:2364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb5e7e5-0a1b-4563-9296-6de8ced1860a.vbs"
    3⤵
    PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\recovery\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\sdengin2\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\SearchProtocolHost\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass.exe

Filesize
1.5MB

MD5
d36cc4a093e0bc7ca5a9342ab6012419

SHA1
ce5387ec8626e899804182655ad84ed339771ed1

SHA256
e83194ac6af90662225fd216fae289c52a2d8392bbc35a2b1e131bef7ae354f1

SHA512
df08e46279f1726a78b73b2191b7e878512e84520eed04f5b45aa14553447e216bf9b3a44d0478947d340ced9c434b7526266b4380f0fe16196eb8da5c8206be

Download Submit
C:\ProgramData\lsass.exe

Filesize
1.5MB

MD5
42dc5367be2730a142529d9b1b21e2c2

SHA1
84a7d4eb523597b5bdcc20ca6821ea556f99f4e8

SHA256
60af05ae81e2e6947064eae1062debfcdb969bedc120971bc6f42a78bed5cfab

SHA512
e8d7d6e3d71ab00d15571bbd593adbf624dce7c9dbd7f997c0539407e7acbd269db85317f3da5609c284645ced94bb4c15571c0fda0de795d9b0143907a80d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fce44b0-81d2-419b-82bf-b7ed8c9fb92c.vbs

Filesize
717B

MD5
1dc8d4bd02c873c5065a295d1c29e07c

SHA1
ae9747e1fe6553726be4f254009fc1ed20426a55

SHA256
d12034f3bfc9c6b656f9b9249e058f89e7fed3f98266b13acb101bd7c523f3cd

SHA512
53b096b48dc1c2ba47abd1cc66f0952f6b56b8fc76697973154e0b9e35047ee46cfd5ade18915067098d88c87403516b5ec3d6ea9ac88c995f3c0b1a64f1016f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a45811b-9da9-4ec7-9ab5-df08298dc830.vbs

Filesize
717B

MD5
9bc0f9b35b7123b0c5997e0b99c38690

SHA1
144202d712c4267c3c23de38efc2543521645630

SHA256
93c502023e8ab0aaf82c42c9998e4817d11f2a4f3e7f664b2b0fe6742e8a760a

SHA512
cf84e37917d27cfed463afd3f3a7a7a6fcce775532872ad05029203789c7ec9308d195d067ba6c386f735df479aa4b773275c75163a26aca38e328dd0bf3ee59

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a982427-2912-4480-8cf6-77cccfe4a1c6.vbs

Filesize
717B

MD5
b3fc9c22dc71aa11c3f5012de1d8c3ab

SHA1
dbd442521761f8f21c3ad1e8b38f67d1e78612fc

SHA256
31915684b1123bb5ec373615bb3f81fc0440a8450dbe13d58922f92177764187

SHA512
4d5a109d94009e8bce25bd11fe68518272db2f6e2a8076880aa208504966612ca059071945400435b8e5d755b9c51b47c4ab6b293e905af790c8d8402134853b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f47ba78-b36a-4c55-a324-d8e26620060e.vbs

Filesize
717B

MD5
5363863b0433598e1b05dc1a5507900c

SHA1
0c4bc4faa1f3bd436715547f31cfaa9cadb40dd4

SHA256
820c7107205c1f820dfef39003fafa774579929d84324641131f8d3abf327200

SHA512
28fbab9ffc386def05bb687b76d161d0cf28040cf319da6e364fe1fc77e6f0a44648058d80d78bb620cd22863738293724b0365cb3c24a871077c86a5f832dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\400902c3-2834-4df9-98b8-161884ba6e51.vbs

Filesize
717B

MD5
044df3aa7c92f32229b4927049728aec

SHA1
3bf0c2d4ba5cd5e6fb73fa9585c627ae04c607e4

SHA256
c87b2087a8fa3c02078d1ea64b88a6998ccf06449634d0b89cbb6d24adb1ef4e

SHA512
361f8709578387316f5ef38b584f80f08e7296529533fa4dbf6fa399a99f908e17262683a50c7a1e4384e553ce1fd1bb7b17772e92883e551e42d921d5b95552

Download Submit
C:\Users\Admin\AppData\Local\Temp\4311002d-500a-4246-b85d-75a805b6f785.vbs

Filesize
717B

MD5
1754f94da45f01202af59eac9a515476

SHA1
9a772010f00db69d9e759713d9be7caf28f99f10

SHA256
f5068bde5f19dc0975e16a5c553246538dc33e47b50a3bdeaf8a0f8f639506bd

SHA512
40a0c57566fbe0424751ed12e6947705b0b2f47973afd2f38a66c9b361d8281338053804130e932ca14a7c4d3e08d355174cef2472f89c87b445ee1264891c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\439c28c0-4602-4032-b5ca-78f8a374d8e4.vbs

Filesize
717B

MD5
1244c3948a591754701ea6f0e0fbe638

SHA1
995e09dc05d87ba846cdbe19ef16f8663183bbbc

SHA256
0e34ee99dce3f9590e5567264510e9224570714238d0c0195c105dbd0b26cef1

SHA512
d586c728856b269778b7a0c1abe5d25ced7c717cf3a967692d702c08cf43ff2908d1da76138714e0ec298b5e9be5acec47a9a6312cfa1a68ad736accefc6fc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\67732edb-db2e-463e-8d39-e39d4a2541e7.vbs

Filesize
717B

MD5
ba66bed1b81813b180ab15f205a7ec70

SHA1
16361f68df01470b3456082abb920d2cc5500339

SHA256
a2e18a9724f6ae5d2f41065fa07e472040509ef040f0c2145436693321e32b97

SHA512
87c5edce0f6a13ab9d1d92627a1f412e00b4cb901730e04d6e0080cc82b11347e49406bd7ae04da68cba8768afa0c8dd21fe0c3f3c259e940bec79e8bff75387

Download Submit
C:\Users\Admin\AppData\Local\Temp\69435a10-2962-4a3e-90f4-82c9a00eb21c.vbs

Filesize
716B

MD5
1c187b68c6a9e5224ad159583cfb620f

SHA1
12ea455820cf4e7fcf33d65524dc5311218194c9

SHA256
eb312415546bc670ee1de100f2e16614b210787a844d9151de4de32fe9f5be51

SHA512
02db6bbd6dd768206a991087a47c63241a6c38f2261f3f2826bdf8bd55a1f0e257096f509b9ee901419310f080e863124a8bfc7fc4b9be39b5fbb90c609fd536

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cb5e7e5-0a1b-4563-9296-6de8ced1860a.vbs

Filesize
493B

MD5
7cbebf525a6bf4695e3db6dfa9201484

SHA1
ca1f3fc7a6c4799154a70a137a53ba69fd97da43

SHA256
614c03831c982d894ad35b231b219c0a216e9f9f44f12cb29a77f85a5eb3f9fd

SHA512
9e6cf90f26a28aaeccddc93576b1fb910eab4ca413890d9072965630dd40c9b8705eab6be8e2574b53771731ae48610a6591f8b216e2015769399810ea52f1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\89cb4f6f-3e79-4e43-af2b-6f9914244354.vbs

Filesize
717B

MD5
046909918a4e69b4d3303de7a7242dc2

SHA1
9a45e4c037d6b29872b2fd89778dd13c881837e6

SHA256
c40ad8cc7b12c12145c0e99bb82594133ae235ec257c9c3593cfcd5363b26ccf

SHA512
d8300dc7accbaf00f643bdfaecb2bd4e9e8ee0337dbdb19f3f228ec15ad1f6b8e1bae6cce601ad93554892b48497382a2917793ed0b043c45da86b5f0805d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8e46a4a-9dd8-4f72-a8cd-cb60649be199.vbs

Filesize
717B

MD5
f644bba7b4d633fa713d3389e1157ee5

SHA1
62b9dd7906b5619bdad90118ccb88ca0cbd84fd4

SHA256
4a5a2c557befe660bdf4d1c143396aefa88e4f7a2b1a3e2a92c0d796c341a8aa

SHA512
29d21c0ba5789bffea48c57a79352cb600327419a9025774cb2c52d81f1ab74a6185db9a62fb5f82c7af8e509e46ecd4d5b4b15189334373f10bf5ece54080e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d76f1b4e-2014-4ca3-9042-048123548d67.vbs

Filesize
717B

MD5
5d7f61eb8f822995e472dcdcd6eb0558

SHA1
fcd57e59b4b5e05f84136287f689d4a647b09040

SHA256
8e80da241d6268dd6cbfd55ad82e5b7279da09608cffec1a05becb4682f81684

SHA512
b0d587792e15f1426a4ac32bf8e1da773ea0ac6c6ff8256528f325f58daec926016dedc8570287521116522dcc50d9df81ef9832763d72f59cdf861065e8459f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e248c018-1c06-41a3-872d-d0398e8c1028.vbs

Filesize
717B

MD5
ded76fdee4d73258e732be207abbe14d

SHA1
a0b442c4d0faa6e8ad54bb20f59f9da42d91fef7

SHA256
75d2437fe81a5480579a09813152c841d422fc9365fb30a601290c7332848bdf

SHA512
513fb19eb4fcb1219f32ce72e44423b96476c594660a2ab5fb2fba473d00fa56c50f61ec7a0461961b93f16d7f2eeec870342ebd76d6a2cf0a445bde2ef6673c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed56dd5f-b624-4bad-bdc7-31e2fa8db77a.vbs

Filesize
717B

MD5
c22d242e2b7c3b3e8bcf42cca0c00931

SHA1
e0fc83d4b6b6c8b3d3d4f36675102bd8b963f8f6

SHA256
1050d24a2958e6c80c4aabaad322261ab1f84ec664100b06a44fd28a3c2ad170

SHA512
0d8c627ead780ec53901e2cf220a42e49a92e5533655f643a294729efa0c3d09d09ccf20efbfa381ef6c6ca3ec79d689914657bb0d802930a6ceb291e895213c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3abf60a3500067830997d162cfaffddd

SHA1
29d4fb425a7b44443e766dba490dfdad9c58aafd

SHA256
e86ca20e61c8cad8a906ea1e0afdc42e187fc8e1d1041fed20b416718fbe45b6

SHA512
ebb1ecbc3828f4ad9b1783353db4a60c718024be02566ba566ea695c93aceebd6a69fa14ec019246b19c5c9a37c89d733eb3a431431dc77e215b1223116120fc

Download Submit
memory/596-107-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/596-109-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/668-145-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1392-169-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1560-101-0x00000000011F0000-0x000000000136E000-memory.dmp

Filesize
1.5MB

Download
memory/1640-260-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download
memory/1872-6-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1872-10-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/1872-16-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1872-17-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/1872-106-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-15-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1872-14-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1872-13-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1872-24-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-12-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1872-1-0x0000000000BD0000-0x0000000000D4E000-memory.dmp

Filesize
1.5MB

Download
memory/1872-11-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1872-21-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1872-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/1872-9-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1872-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-8-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1872-7-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/1872-18-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1872-5-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/1872-4-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1872-20-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/1872-3-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/2264-157-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2688-192-0x0000000001390000-0x000000000150E000-memory.dmp

Filesize
1.5MB

Download
memory/2828-248-0x0000000000340000-0x00000000004BE000-memory.dmp

Filesize
1.5MB

Download
memory/3048-272-0x0000000000F00000-0x000000000107E000-memory.dmp

Filesize
1.5MB

Download