dcrat | e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
151s
max time network
165s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9a7a84e51c67d1a641349c9195c4f74.exe
Size

1.1MB
MD5

d9a7a84e51c67d1a641349c9195c4f74
SHA1

ab7430806db422ec6dc6bf7c378d70f36125c33f
SHA256

98be7f502a04b1116647aec47e8e1061d2c26404d6e7855423371fe01d8f5ef9
SHA512

fd9a242d657e746ddd07474fefe772afb1b4060db34bb030d1ce8abd7c4ff1af235b209606ea8f43aaf87ae30e1cbfd5b23986344b23a6a50bf13b35deb97ee7
SSDEEP

12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\xmlfilter\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\xmlfilter\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\winlogon.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\xmlfilter\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\winlogon.exe\", \"C:\\Windows\\System32\\tapiui\\csrss.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\xmlfilter\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\winlogon.exe\", \"C:\\Windows\\System32\\tapiui\\csrss.exe\", \"C:\\Users\\Default\\services.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\xmlfilter\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\winlogon.exe\", \"C:\\Windows\\System32\\tapiui\\csrss.exe\", \"C:\\Users\\Default\\services.exe\", \"C:\\Windows\\System32\\netevent\\winlogon.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\xmlfilter\\wininit.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2908	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2336	powershell.exe
1424	powershell.exe
264	powershell.exe
1756	powershell.exe
2428	powershell.exe
2424	powershell.exe
1500	powershell.exe
576	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d9a7a84e51c67d1a641349c9195c4f74.exe

Executes dropped EXE 11 IoCs

pid	Process
540	wininit.exe
2052	wininit.exe
1052	wininit.exe
2444	wininit.exe
2336	wininit.exe
3068	wininit.exe
1148	wininit.exe
2836	wininit.exe
1452	wininit.exe
1336	wininit.exe
1648	wininit.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\tapiui\\csrss.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\services.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\xmlfilter\\wininit.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\tapiui\\csrss.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\services.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\netevent\\winlogon.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\netevent\\winlogon.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\dllhost.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\xmlfilter\\wininit.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\winlogon.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\winlogon.exe\""	d9a7a84e51c67d1a641349c9195c4f74.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\tapiui\csrss.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Windows\System32\tapiui\886983d96e3d3e	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Windows\System32\netevent\cc11b995f2a76d	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Windows\System32\tapiui\csrss.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Windows\System32\xmlfilter\wininit.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Windows\System32\xmlfilter\56085415360792	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Windows\System32\netevent\winlogon.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Windows\System32\xmlfilter\RCX7A50.tmp	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Windows\System32\xmlfilter\wininit.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Windows\System32\tapiui\RCX8117.tmp	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Windows\System32\netevent\RCX85AB.tmp	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Windows\System32\netevent\winlogon.exe	d9a7a84e51c67d1a641349c9195c4f74.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\winlogon.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\5940a34987c991	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\winlogon.exe	d9a7a84e51c67d1a641349c9195c4f74.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\cc11b995f2a76d	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCX783D.tmp	d9a7a84e51c67d1a641349c9195c4f74.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCX7EE4.tmp	d9a7a84e51c67d1a641349c9195c4f74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1676	schtasks.exe
2928	schtasks.exe
2820	schtasks.exe
2808	schtasks.exe
2656	schtasks.exe
2664	schtasks.exe
836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
3052	d9a7a84e51c67d1a641349c9195c4f74.exe
576	powershell.exe
1756	powershell.exe
1424	powershell.exe
1500	powershell.exe
2428	powershell.exe
2424	powershell.exe
2336	powershell.exe
264	powershell.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe
540	wininit.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	d9a7a84e51c67d1a641349c9195c4f74.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	540	wininit.exe
Token: SeDebugPrivilege	2052	wininit.exe
Token: SeDebugPrivilege	1052	wininit.exe
Token: SeDebugPrivilege	2444	wininit.exe
Token: SeDebugPrivilege	2336	wininit.exe
Token: SeDebugPrivilege	3068	wininit.exe
Token: SeDebugPrivilege	1148	wininit.exe
Token: SeDebugPrivilege	2836	wininit.exe
Token: SeDebugPrivilege	1452	wininit.exe
Token: SeDebugPrivilege	1336	wininit.exe
Token: SeDebugPrivilege	1648	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1500	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	38
PID 3052 wrote to memory of 1500	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	38
PID 3052 wrote to memory of 1500	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	38
PID 3052 wrote to memory of 576	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	39
PID 3052 wrote to memory of 576	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	39
PID 3052 wrote to memory of 576	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	39
PID 3052 wrote to memory of 2336	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	40
PID 3052 wrote to memory of 2336	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	40
PID 3052 wrote to memory of 2336	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	40
PID 3052 wrote to memory of 264	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	41
PID 3052 wrote to memory of 264	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	41
PID 3052 wrote to memory of 264	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	41
PID 3052 wrote to memory of 1424	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	43
PID 3052 wrote to memory of 1424	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	43
PID 3052 wrote to memory of 1424	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	43
PID 3052 wrote to memory of 1756	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	44
PID 3052 wrote to memory of 1756	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	44
PID 3052 wrote to memory of 1756	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	44
PID 3052 wrote to memory of 2428	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	45
PID 3052 wrote to memory of 2428	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	45
PID 3052 wrote to memory of 2428	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	45
PID 3052 wrote to memory of 2424	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	46
PID 3052 wrote to memory of 2424	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	46
PID 3052 wrote to memory of 2424	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	46
PID 3052 wrote to memory of 1164	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	54
PID 3052 wrote to memory of 1164	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	54
PID 3052 wrote to memory of 1164	3052	d9a7a84e51c67d1a641349c9195c4f74.exe	54
PID 1164 wrote to memory of 1060	1164	cmd.exe	56
PID 1164 wrote to memory of 1060	1164	cmd.exe	56
PID 1164 wrote to memory of 1060	1164	cmd.exe	56
PID 1164 wrote to memory of 540	1164	cmd.exe	57
PID 1164 wrote to memory of 540	1164	cmd.exe	57
PID 1164 wrote to memory of 540	1164	cmd.exe	57
PID 540 wrote to memory of 2996	540	wininit.exe	58
PID 540 wrote to memory of 2996	540	wininit.exe	58
PID 540 wrote to memory of 2996	540	wininit.exe	58
PID 540 wrote to memory of 2124	540	wininit.exe	59
PID 540 wrote to memory of 2124	540	wininit.exe	59
PID 540 wrote to memory of 2124	540	wininit.exe	59
PID 2996 wrote to memory of 2052	2996	WScript.exe	60
PID 2996 wrote to memory of 2052	2996	WScript.exe	60
PID 2996 wrote to memory of 2052	2996	WScript.exe	60
PID 2052 wrote to memory of 2836	2052	wininit.exe	61
PID 2052 wrote to memory of 2836	2052	wininit.exe	61
PID 2052 wrote to memory of 2836	2052	wininit.exe	61
PID 2052 wrote to memory of 1752	2052	wininit.exe	62
PID 2052 wrote to memory of 1752	2052	wininit.exe	62
PID 2052 wrote to memory of 1752	2052	wininit.exe	62
PID 2836 wrote to memory of 1052	2836	WScript.exe	63
PID 2836 wrote to memory of 1052	2836	WScript.exe	63
PID 2836 wrote to memory of 1052	2836	WScript.exe	63
PID 1052 wrote to memory of 880	1052	wininit.exe	64
PID 1052 wrote to memory of 880	1052	wininit.exe	64
PID 1052 wrote to memory of 880	1052	wininit.exe	64
PID 1052 wrote to memory of 1020	1052	wininit.exe	65
PID 1052 wrote to memory of 1020	1052	wininit.exe	65
PID 1052 wrote to memory of 1020	1052	wininit.exe	65
PID 880 wrote to memory of 2444	880	WScript.exe	66
PID 880 wrote to memory of 2444	880	WScript.exe	66
PID 880 wrote to memory of 2444	880	WScript.exe	66
PID 2444 wrote to memory of 2208	2444	wininit.exe	67
PID 2444 wrote to memory of 2208	2444	wininit.exe	67
PID 2444 wrote to memory of 2208	2444	wininit.exe	67
PID 2444 wrote to memory of 2132	2444	wininit.exe	68

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d9a7a84e51c67d1a641349c9195c4f74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d9a7a84e51c67d1a641349c9195c4f74.exe
"C:\Users\Admin\AppData\Local\Temp\d9a7a84e51c67d1a641349c9195c4f74.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d9a7a84e51c67d1a641349c9195c4f74.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\xmlfilter\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tapiui\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\netevent\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GL3Og2LcGo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1060
- - C:\Windows\System32\xmlfilter\wininit.exe
    "C:\Windows\System32\xmlfilter\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0425d43-abc7-4554-a01a-5186d217294b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2052
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31eeb078-d04e-45ac-9cce-a3369e2a2095.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d36ac9c7-7b97-4034-8df4-43a03f7d80d0.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1493d98-dba2-48de-bd1b-658b37d1dfd5.vbs"
        10⤵
        
        PID:2208
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3720330b-3e25-4857-aa9f-d6d8d43e8d58.vbs"
        12⤵
        
        PID:1236
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd828d2-e72a-47eb-b477-71f4b93cbaad.vbs"
        14⤵
        
        PID:1652
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8826e1-5ccf-455b-8c8a-80e8578de121.vbs"
        16⤵
        
        PID:1064
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cde5297-03ac-4323-be9b-438adf1d0299.vbs"
        18⤵
        
        PID:332
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\accca69d-6a4a-4e18-b638-7d5f31115a2d.vbs"
        20⤵
        
        PID:748
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5fb51ad-7069-4640-8319-57c0694cbf9f.vbs"
        22⤵
        
        PID:1688
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3678956-d5df-464b-a3ed-88b3551f64c3.vbs"
        24⤵
        
        PID:1696
        
        C:\Windows\System32\xmlfilter\wininit.exe
        
        C:\Windows\System32\xmlfilter\wininit.exe
        25⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\786f4251-c75f-4bd5-aae6-f3d7f385d29d.vbs"
        26⤵
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1fb292-dab4-4b44-9e75-280a69bbca86.vbs"
        26⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2d1e61e-bda9-4fb8-a7c1-aefd39352cfd.vbs"
        24⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f80ccdad-8930-4fec-8fa1-da87f0351561.vbs"
        22⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a259d5-1c86-4a56-bd1a-459a8591d878.vbs"
        20⤵
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2088cd61-8a7d-4794-ac20-1d7f0749e9c4.vbs"
        18⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a74f226-eea9-4825-a6fb-d9845f100a77.vbs"
        16⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67825b0a-173e-4660-879a-0c0f0636acc9.vbs"
        14⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b5038c-9864-4300-905a-b971575640f1.vbs"
        12⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e05279d9-0aaf-43ce-89e3-7adbd9495bcc.vbs"
        10⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\852e5115-7628-4718-b7a5-1695abde0962.vbs"
        8⤵
        
        PID:1020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83bf72f6-0a8b-4c0d-b3f5-4a4dd7e76abf.vbs"
        6⤵
        
        PID:1752
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1bb8f43-d1a9-4d85-87d9-9c2b7d809268.vbs"
      4⤵
      PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\xmlfilter\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\tapiui\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\netevent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX7CD1.tmp

Filesize
1.1MB

MD5
31807f0e98323386fa170c3c1dc84f8d

SHA1
d0daa27e45706f6e1ecde8ea687f048fe10c50e4

SHA256
ed1112ac0a15aaa3192395397a9ea7c703ba795860d9e0af530069783debbc0c

SHA512
4069b4a82005c447fdcdeb9baca8ed5d2a17307cea128d8b54d893063915b971119a8808adc3e8a9bad78140ad1282dfefaf5fa4aa5401f247c676d308d30874

Download Submit
C:\Users\Admin\AppData\Local\Temp\31eeb078-d04e-45ac-9cce-a3369e2a2095.vbs

Filesize
717B

MD5
4583cb4157b7f8310ad4d314faab90e9

SHA1
301681c3993983c1c4846f524c5fd9c5c16c5b26

SHA256
b9b79ca352dceb61bd8576a65f15840603330b905cce35aba694b0482403a815

SHA512
c2cc7f64ae6b05c883490e61ab67e9b43af8f6810c9d56f345fb3b13df5b0e3e8e9840922e9624cf425b8e0796ef833192942f03ddb5e791dcf49ec9957a4944

Download Submit
C:\Users\Admin\AppData\Local\Temp\3720330b-3e25-4857-aa9f-d6d8d43e8d58.vbs

Filesize
717B

MD5
77d86ac1c3145e11ba3d54ec747b7066

SHA1
62b022cdf7f84b27084c53d4d49af00ad4aafa03

SHA256
35c09de4cd1c8ca0121dc29d37c4f7f20a56c50251c2d21ec52a8594279ff51e

SHA512
839e863d2d6755c3429791b27adf237b6dec814412afc7facbb6bcb6b708f997333cbfa66cbb41b322fae65f97e980d77db768387e668f98e050a50e6f88cd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cde5297-03ac-4323-be9b-438adf1d0299.vbs

Filesize
717B

MD5
9066bce2e9c51aafda48c8f475eb6130

SHA1
80fe193ac903a56f7cd6450bfe780504396dd3f3

SHA256
f48dcdc4970f5e47bd9de2693fa5d656c03112e5fb0c403be059cf9b4d7b38c2

SHA512
38558abe310cbb3d60b67af5a78a40a9f6783eb61b0f25071fb4ffe2dab3f76191ec548357253ddebc416e30834af944acd71474144e528d4ad08e20ce1fe1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e8826e1-5ccf-455b-8c8a-80e8578de121.vbs

Filesize
717B

MD5
849bbf297ee0f7d585c97ceaebf73e02

SHA1
b05fa57621b5635489efc65fc8910f5111a370d0

SHA256
ccebcc3469ba36d3043608811af6afffc1f93126efae8cc711a34b487513f88c

SHA512
0cfc2b41ee05e15f7c912c23ed3182b52edb93c708f8da279c2182acd0a142c43dfe3a3a85afb76703feda05df63cbcc5261823853ab421a81e24d534e921d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\70c9296fcd31ccdbcb9841270e1692161dba3f05.exe

Filesize
576KB

MD5
9ec8e0d17f192c6c468fdf5f75a4d9eb

SHA1
30650dc578ede41be07980d44d06933864d35fb0

SHA256
600c060fbe90b8cd6d64062afd7cde7403d59a2c1c80751ee521454f087ee320

SHA512
ccbe7fe05ebef1c680ecf05049bcf92bcbbd0ed5026481f260c99e7425f0011c68d42775419b0037b49295553a4ff9892d8bdd02d0bec556ddf140afcf934e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\786f4251-c75f-4bd5-aae6-f3d7f385d29d.vbs

Filesize
716B

MD5
32e92d2eaf4ea2dde3ee91b1efd49b01

SHA1
6a4a907837e2d866d62bb4a48ffdfc9964e74ebc

SHA256
00818be2eca4da0349bf46f86c8e821d583901f53778fae00f87e3ed165ac808

SHA512
3bf2e7a53cccfef5d4ac1b84aa849cf6ee4ebd0264b1615e8d5f5b77fc4b9bdf2fa7cc852169798685bc8f9cbf465686934fcfd1f5bae8fbb26d9c6891cf2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\GL3Og2LcGo.bat

Filesize
205B

MD5
ecde9e778d495c5f48a02455aba8ec05

SHA1
30265767da7c43b92a751d1e6063b052eaaad1f6

SHA256
ec4885ac6118f992403e8da587b888a00b2917b7d7d179a0ffa841ad9bf2bff1

SHA512
d134b362425836572a84d95138bbdd25f8d08e4688abc53aa0c2cf0704071f09eb42b9290e1cb28369fc4ac3d40cd9fff6428af974bdef8a0eb6f7c17838f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\accca69d-6a4a-4e18-b638-7d5f31115a2d.vbs

Filesize
717B

MD5
f2768fcfd9cf5cfe84bc5b04af96daaf

SHA1
2437c264222b787cd1e9200811763e77d02ab50c

SHA256
bd4ee28c748c91a9818879d05dac1d2b854635763aba35e65ff44ed85fa019de

SHA512
749f64960f758ff80e00100bfb94d8d0071bb280d91afd5c64f09dce2fb20668fb23019bbbf156bc44996f559a3192b79b3ad5c4a2dc3e81b9573ffbffb69685

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0425d43-abc7-4554-a01a-5186d217294b.vbs

Filesize
716B

MD5
c20b357b8ba2e3b6b3d3b4048ec101af

SHA1
316eba35423bafbc45a7daee6753f655b9396172

SHA256
b6d2c7a172db54e444cb4f21bf1099e449b6755dd9914f682bd7e60128b10728

SHA512
7984fd2249dac45630bcc42c6804b43bfdb2e6269bfcff635aa305a3154eaf367d65fee4e9d782e7f9b467c9c41ddb8496850973cad6e0b88f9829a9dbfda3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1bb8f43-d1a9-4d85-87d9-9c2b7d809268.vbs

Filesize
493B

MD5
8e2b43f2ebdd8a468d39c26bfd1d2511

SHA1
bd2377f12ecdf6bfb79afeb27634b6b1af700b9f

SHA256
da22961cdb697cfdc99b52364a4640bc5cca79cbef4f3a9bbe796b9de0af7898

SHA512
b8c473f6260a5e2f04c5cd73044b5e834e7f4c974d3679940048208fb0b505f8cf8e9c11106a2332bf6fd861de5d17b83fc25c985702ed17d020b3017ffd504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3678956-d5df-464b-a3ed-88b3551f64c3.vbs

Filesize
717B

MD5
9eeac455e76c70a883b0e50422796b62

SHA1
d53813a882ceb1e2f755f9aa7e66d3e67ce65ad4

SHA256
dee0dfe649323bb4936623d3dec49e98f84cfc21363aada5e54a0d654fa6ef76

SHA512
ffe9292ad632105988cf3788632ea040204906646d14a916720c4a306bf74828c325476c3ec04420e5dabd465f40d15da0bd8ab30be790eb90293ac0d78307c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d36ac9c7-7b97-4034-8df4-43a03f7d80d0.vbs

Filesize
717B

MD5
60b8ed6b359d42e334d020e3c338e4dc

SHA1
0d4772e20725fb1a80aaa9803058f924c1707192

SHA256
a0ad168a4007532300ce9860ef9c20a60041dbfbaf319544a3896943c803b3b6

SHA512
f21056cd5eeabb0fd94c10e156dca7ea250c9d51bb665d47e38ff231b57339dd5b1e3d65e70b35df1c6c9f775b43cef206e137908c4f6ff196e6bd8a22e7b995

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5fb51ad-7069-4640-8319-57c0694cbf9f.vbs

Filesize
717B

MD5
1364ef8f1e8ba0aed3cac4b576f812b8

SHA1
3c80b119f8f73867f5635ab5e58d5ebd5914e139

SHA256
6625adcacf2926886e8bf8d87e1cc288db3e3275684cc88a3514fd55e9545c22

SHA512
c4a9333bf07d63ecad0b0b27678431a219df8ae35fc14ebd16180d7801e4a1ba98f481ae2333c1e401a46de35ab1403f3be8f8c4de178a38db521125c69fa423

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebd828d2-e72a-47eb-b477-71f4b93cbaad.vbs

Filesize
717B

MD5
c4c8687ce0e1dc7c1294b427e8e2dcdf

SHA1
86c965c9391a71bc74d59e3400e0538711001208

SHA256
9bf05b4df1df398d59fcbc0a7305a1a9becc114f2fc59176ee8b04a3ca1d0bc0

SHA512
e6e383fc7092aa6a3c9eb18cb553a2085a6bc4c1dff0741b316e3139358c7ab1694c5051d0241b6be4ad35f08e369a75c1e4ace98643beef9ba53008eda0ebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1493d98-dba2-48de-bd1b-658b37d1dfd5.vbs

Filesize
717B

MD5
9f7a3aab286f1f70d167238dd522538c

SHA1
7021e75cd6ad84eca22807f6f2332a46808289b9

SHA256
9f1f0140c811ca575b3da499c502278cf8c8f83f4f9eb52757e3296fc835da2b

SHA512
54698d562fdcebd5444026e958d8623be74720271609db125244ed844d720900c87e57127421856f69eb7755857438695d3104ac4c1aeabfcc7095e0cd4660a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a16ae1e14add194ac1c330208bdd6e6a

SHA1
5a7ff23e02bfffa51c145210a522a49a081e4521

SHA256
6c58d0de2c2efe31512f267de944bdb856df35f469624b2032bf61010d7e9309

SHA512
3df1d70de6d141d2c6401283e36a72ddd464a089adc88b76b5015438d4940413630697f95606176c832f5ac7d5379c462890036bebe2efc1027f2f6a1402e675

Download Submit
C:\Windows\System32\netevent\winlogon.exe

Filesize
1.1MB

MD5
129604f1b9a3159cd590568e46599b19

SHA1
b90a07a0e4828e403988eb93f922ea5bacab3b89

SHA256
9df4baf2b9c7e545a295428fdd2125a5b61298efb9a5def44cad9e74146c176b

SHA512
e35f22d10891142e1bf345451c6f137651fd9e7a543272519ac1fcb75841687d10c3cbf0675f8b6fb273cc1d7561fcd8dbf7ab77f0c1404f17204286f9c67395

Download Submit
C:\Windows\System32\tapiui\csrss.exe

Filesize
1.1MB

MD5
d9a7a84e51c67d1a641349c9195c4f74

SHA1
ab7430806db422ec6dc6bf7c378d70f36125c33f

SHA256
98be7f502a04b1116647aec47e8e1061d2c26404d6e7855423371fe01d8f5ef9

SHA512
fd9a242d657e746ddd07474fefe772afb1b4060db34bb030d1ce8abd7c4ff1af235b209606ea8f43aaf87ae30e1cbfd5b23986344b23a6a50bf13b35deb97ee7

Download Submit
C:\Windows\System32\xmlfilter\wininit.exe

Filesize
1.1MB

MD5
702fe115d7514f1c39adf32542e4b1f0

SHA1
8ee8b6e0ce5ba3acf8656b9a0e805bc2335a5041

SHA256
93cb1f6cf91243233af8372a17d72aeeca91599c3dd7bc339ab0e82ecf5aa2d1

SHA512
a9010666d9c4ab1241eada07449ba25211841fd2bf01cc477d6a5b62407b9dc71d8c607a6ce7bedd4a58d13d21fc695eb83924f49b855f5a5ec119ef78cd5583

Download Submit
memory/540-137-0x00000000003E0000-0x00000000004F4000-memory.dmp

Filesize
1.1MB

Download
memory/576-123-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/576-129-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/940-264-0x0000000000DC0000-0x0000000000ED4000-memory.dmp

Filesize
1.1MB

Download
memory/1052-160-0x00000000011F0000-0x0000000001304000-memory.dmp

Filesize
1.1MB

Download
memory/1336-240-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1336-239-0x0000000000330000-0x0000000000444000-memory.dmp

Filesize
1.1MB

Download
memory/1648-252-0x0000000000B90000-0x0000000000CA4000-memory.dmp

Filesize
1.1MB

Download
memory/2052-148-0x0000000000E80000-0x0000000000F94000-memory.dmp

Filesize
1.1MB

Download
memory/3052-14-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/3052-10-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/3052-16-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/3052-15-0x0000000000760000-0x000000000076A000-memory.dmp

Filesize
40KB

Download
memory/3052-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/3052-63-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-17-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/3052-18-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/3052-13-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/3052-40-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/3052-12-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/3052-34-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-11-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/3052-102-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-9-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/3052-1-0x00000000013C0000-0x00000000014D4000-memory.dmp

Filesize
1.1MB

Download
memory/3052-8-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/3052-7-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/3052-6-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/3052-5-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/3052-29-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-24-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-4-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/3052-21-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/3052-3-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/3052-20-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/3052-2-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-194-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download