dcrat | a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be183db6d4b77c092496c69c3f389b94.exe
Size

5.9MB
MD5

be183db6d4b77c092496c69c3f389b94
SHA1

fb3bfca351c3393d0a5d8cd9720b6427a2e496a3
SHA256

87c09708598a2d92970a4a4e7244fc31589a8e6e6a49240ec5c5862aff099c9a
SHA512

997eba720a5d7895cfce44aa1f67eba74312314a87190e2b5dd8229aaa63d3886224d7f34023d9888922a72fd976a214eedf2f9d746c923c6efbe9683e39173c
SSDEEP

98304:byeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4d:byeU11Rvqmu8TWKnF6N/1ww

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2640	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1684	powershell.exe
1664	powershell.exe
1600	powershell.exe
1532	powershell.exe
2644	powershell.exe
884	powershell.exe
2348	powershell.exe
2424	powershell.exe
1604	powershell.exe
1580	powershell.exe
2648	powershell.exe
372	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	be183db6d4b77c092496c69c3f389b94.exe

Executes dropped EXE 3 IoCs

pid	Process
2904	sppsvc.exe
1624	sppsvc.exe
1312	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be183db6d4b77c092496c69c3f389b94.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2904	sppsvc.exe
2904	sppsvc.exe
1624	sppsvc.exe
1624	sppsvc.exe
1312	sppsvc.exe
1312	sppsvc.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCX33AE.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files\Windows Media Player\dllhost.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\886983d96e3d3e	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX2969.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCX33AF.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files\Windows Media Player\5940a34987c991	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\0a1fd5f707cd16	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX2512.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX297A.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX2522.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files\Windows Media Player\dllhost.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX2C1A.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX2C97.tmp	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\0a1fd5f707cd16	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\RCX2F08.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\ShellNew\RCX2F96.tmp	be183db6d4b77c092496c69c3f389b94.exe
File opened for modification	C:\Windows\ShellNew\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\ShellNew\sppsvc.exe	be183db6d4b77c092496c69c3f389b94.exe
File created	C:\Windows\ShellNew\0a1fd5f707cd16	be183db6d4b77c092496c69c3f389b94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
560	schtasks.exe
2904	schtasks.exe
1860	schtasks.exe
2212	schtasks.exe
2208	schtasks.exe
1316	schtasks.exe
3036	schtasks.exe
2608	schtasks.exe
2392	schtasks.exe
2228	schtasks.exe
1592	schtasks.exe
1908	schtasks.exe
2920	schtasks.exe
2452	schtasks.exe
768	schtasks.exe
1676	schtasks.exe
2772	schtasks.exe
2800	schtasks.exe
2912	schtasks.exe
264	schtasks.exe
1028	schtasks.exe
604	schtasks.exe
2192	schtasks.exe
2972	schtasks.exe
2084	schtasks.exe
1100	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
2276	be183db6d4b77c092496c69c3f389b94.exe
1664	powershell.exe
2644	powershell.exe
884	powershell.exe
1684	powershell.exe
1580	powershell.exe
372	powershell.exe
1532	powershell.exe
2648	powershell.exe
2348	powershell.exe
1600	powershell.exe
2424	powershell.exe
1604	powershell.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe
2904	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	be183db6d4b77c092496c69c3f389b94.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2904	sppsvc.exe
Token: SeDebugPrivilege	1624	sppsvc.exe
Token: SeDebugPrivilege	1312	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2348	2276	be183db6d4b77c092496c69c3f389b94.exe	58
PID 2276 wrote to memory of 2348	2276	be183db6d4b77c092496c69c3f389b94.exe	58
PID 2276 wrote to memory of 2348	2276	be183db6d4b77c092496c69c3f389b94.exe	58
PID 2276 wrote to memory of 372	2276	be183db6d4b77c092496c69c3f389b94.exe	59
PID 2276 wrote to memory of 372	2276	be183db6d4b77c092496c69c3f389b94.exe	59
PID 2276 wrote to memory of 372	2276	be183db6d4b77c092496c69c3f389b94.exe	59
PID 2276 wrote to memory of 884	2276	be183db6d4b77c092496c69c3f389b94.exe	61
PID 2276 wrote to memory of 884	2276	be183db6d4b77c092496c69c3f389b94.exe	61
PID 2276 wrote to memory of 884	2276	be183db6d4b77c092496c69c3f389b94.exe	61
PID 2276 wrote to memory of 2644	2276	be183db6d4b77c092496c69c3f389b94.exe	62
PID 2276 wrote to memory of 2644	2276	be183db6d4b77c092496c69c3f389b94.exe	62
PID 2276 wrote to memory of 2644	2276	be183db6d4b77c092496c69c3f389b94.exe	62
PID 2276 wrote to memory of 2648	2276	be183db6d4b77c092496c69c3f389b94.exe	63
PID 2276 wrote to memory of 2648	2276	be183db6d4b77c092496c69c3f389b94.exe	63
PID 2276 wrote to memory of 2648	2276	be183db6d4b77c092496c69c3f389b94.exe	63
PID 2276 wrote to memory of 1532	2276	be183db6d4b77c092496c69c3f389b94.exe	64
PID 2276 wrote to memory of 1532	2276	be183db6d4b77c092496c69c3f389b94.exe	64
PID 2276 wrote to memory of 1532	2276	be183db6d4b77c092496c69c3f389b94.exe	64
PID 2276 wrote to memory of 1580	2276	be183db6d4b77c092496c69c3f389b94.exe	65
PID 2276 wrote to memory of 1580	2276	be183db6d4b77c092496c69c3f389b94.exe	65
PID 2276 wrote to memory of 1580	2276	be183db6d4b77c092496c69c3f389b94.exe	65
PID 2276 wrote to memory of 1604	2276	be183db6d4b77c092496c69c3f389b94.exe	66
PID 2276 wrote to memory of 1604	2276	be183db6d4b77c092496c69c3f389b94.exe	66
PID 2276 wrote to memory of 1604	2276	be183db6d4b77c092496c69c3f389b94.exe	66
PID 2276 wrote to memory of 1600	2276	be183db6d4b77c092496c69c3f389b94.exe	67
PID 2276 wrote to memory of 1600	2276	be183db6d4b77c092496c69c3f389b94.exe	67
PID 2276 wrote to memory of 1600	2276	be183db6d4b77c092496c69c3f389b94.exe	67
PID 2276 wrote to memory of 1664	2276	be183db6d4b77c092496c69c3f389b94.exe	68
PID 2276 wrote to memory of 1664	2276	be183db6d4b77c092496c69c3f389b94.exe	68
PID 2276 wrote to memory of 1664	2276	be183db6d4b77c092496c69c3f389b94.exe	68
PID 2276 wrote to memory of 1684	2276	be183db6d4b77c092496c69c3f389b94.exe	69
PID 2276 wrote to memory of 1684	2276	be183db6d4b77c092496c69c3f389b94.exe	69
PID 2276 wrote to memory of 1684	2276	be183db6d4b77c092496c69c3f389b94.exe	69
PID 2276 wrote to memory of 2424	2276	be183db6d4b77c092496c69c3f389b94.exe	70
PID 2276 wrote to memory of 2424	2276	be183db6d4b77c092496c69c3f389b94.exe	70
PID 2276 wrote to memory of 2424	2276	be183db6d4b77c092496c69c3f389b94.exe	70
PID 2276 wrote to memory of 2904	2276	be183db6d4b77c092496c69c3f389b94.exe	82
PID 2276 wrote to memory of 2904	2276	be183db6d4b77c092496c69c3f389b94.exe	82
PID 2276 wrote to memory of 2904	2276	be183db6d4b77c092496c69c3f389b94.exe	82
PID 2276 wrote to memory of 2904	2276	be183db6d4b77c092496c69c3f389b94.exe	82
PID 2276 wrote to memory of 2904	2276	be183db6d4b77c092496c69c3f389b94.exe	82
PID 2904 wrote to memory of 2852	2904	sppsvc.exe	83
PID 2904 wrote to memory of 2852	2904	sppsvc.exe	83
PID 2904 wrote to memory of 2852	2904	sppsvc.exe	83
PID 2904 wrote to memory of 2136	2904	sppsvc.exe	84
PID 2904 wrote to memory of 2136	2904	sppsvc.exe	84
PID 2904 wrote to memory of 2136	2904	sppsvc.exe	84
PID 2852 wrote to memory of 1624	2852	WScript.exe	85
PID 2852 wrote to memory of 1624	2852	WScript.exe	85
PID 2852 wrote to memory of 1624	2852	WScript.exe	85
PID 2852 wrote to memory of 1624	2852	WScript.exe	85
PID 2852 wrote to memory of 1624	2852	WScript.exe	85
PID 1624 wrote to memory of 264	1624	sppsvc.exe	86
PID 1624 wrote to memory of 264	1624	sppsvc.exe	86
PID 1624 wrote to memory of 264	1624	sppsvc.exe	86
PID 1624 wrote to memory of 2788	1624	sppsvc.exe	87
PID 1624 wrote to memory of 2788	1624	sppsvc.exe	87
PID 1624 wrote to memory of 2788	1624	sppsvc.exe	87
PID 264 wrote to memory of 1312	264	WScript.exe	88
PID 264 wrote to memory of 1312	264	WScript.exe	88
PID 264 wrote to memory of 1312	264	WScript.exe	88
PID 264 wrote to memory of 1312	264	WScript.exe	88
PID 264 wrote to memory of 1312	264	WScript.exe	88
PID 1312 wrote to memory of 2612	1312	sppsvc.exe	89

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be183db6d4b77c092496c69c3f389b94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be183db6d4b77c092496c69c3f389b94.exe
"C:\Users\Admin\AppData\Local\Temp\be183db6d4b77c092496c69c3f389b94.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\ShellNew\sppsvc.exe
  "C:\Windows\ShellNew\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2904
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e727117f-b6d2-48de-875a-568793ad37e9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\ShellNew\sppsvc.exe
      C:\Windows\ShellNew\sppsvc.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0df7192-67d3-4c9a-932d-85d683d5b689.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea9bfe39-acb3-4200-95b8-117de3877fb8.vbs"
        7⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9e4668-85a7-46d3-a099-26895f3e97b8.vbs"
        7⤵
        
        PID:2748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7850a0-9c25-4e33-a383-c4645f610db9.vbs"
        5⤵
        
        PID:2788
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c6f2d7-1efb-49e1-a80f-a01a8b6d291c.vbs"
    3⤵
    PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be183db6d4b77c092496c69c3f389b94b" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\be183db6d4b77c092496c69c3f389b94.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be183db6d4b77c092496c69c3f389b94" /sc ONLOGON /tr "'C:\Users\Default User\be183db6d4b77c092496c69c3f389b94.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be183db6d4b77c092496c69c3f389b94b" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\be183db6d4b77c092496c69c3f389b94.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be183db6d4b77c092496c69c3f389b94b" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\be183db6d4b77c092496c69c3f389b94.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be183db6d4b77c092496c69c3f389b94" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\be183db6d4b77c092496c69c3f389b94.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be183db6d4b77c092496c69c3f389b94b" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\be183db6d4b77c092496c69c3f389b94.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe

Filesize
5.9MB

MD5
be183db6d4b77c092496c69c3f389b94

SHA1
fb3bfca351c3393d0a5d8cd9720b6427a2e496a3

SHA256
87c09708598a2d92970a4a4e7244fc31589a8e6e6a49240ec5c5862aff099c9a

SHA512
997eba720a5d7895cfce44aa1f67eba74312314a87190e2b5dd8229aaa63d3886224d7f34023d9888922a72fd976a214eedf2f9d746c923c6efbe9683e39173c

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe

Filesize
5.9MB

MD5
ac77117ae04ab97c8d28f510f71f1713

SHA1
17993c6656ab6827b7c70bdde6db11ef18752022

SHA256
d708c91c481d36e9884f3bf33aeb950e23f7aa963ecb36067b00016b95475558

SHA512
2338a05832ed22cc711a435b8898d8ce3aa6f0dc183901446b70deefa0a38a9bd6b16eded77cc5d2df270cbd8c842f88b34c1109155c8a58a2dbc451c2cb6a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\33c6f2d7-1efb-49e1-a80f-a01a8b6d291c.vbs

Filesize
482B

MD5
6c2fb603294549e0ad90e92115ba2719

SHA1
de8b883a215ee5aea0b5ec7bcdfb89465a9f7a1c

SHA256
07fe707d11ea7b785d6aa864f5b1d134e15d269b8a18269b776a261bf6508132

SHA512
e52afe6abc36d69f6969f9a48de6db263dfe3a9b0d73217d9b04f47c657f86708161c5a65f4b24ce082f3ab41d395ff70507beff80b0fdfb810f4f06817c7d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e727117f-b6d2-48de-875a-568793ad37e9.vbs

Filesize
706B

MD5
460c67be5916b93523367bb5c796846c

SHA1
b706bb41de052a3032931fd38a7c9ba47fc1616f

SHA256
d33dbe6d64978de887cbb2418d62763cc856b7ff23a5a4bdf185c57d83f741f6

SHA512
c9b0a7ffca0c50b09119953a2c2e163edb2d7e47c5dcef2f82ff2780e54c99387f2c876b7aed5863675f4d5cbb47f7d811b190a2b58637c6e7833de86c85879f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea9bfe39-acb3-4200-95b8-117de3877fb8.vbs

Filesize
706B

MD5
604900cf36edc428c1bf0d817c8eece1

SHA1
7c46c2e3172f64cb9a39ed937e2f2677b364c6c0

SHA256
379f078fa42597afaabae2a276104afb10a1d4328ad8a3ce6a2cbba929218334

SHA512
1fc83e8df2c807d50366380ad9181515067e3f6b7bbb3017ca7b296ddf7046e2a61432869fd20fc472621cbab87720ea19c59fbd791a00c9cc029c4d6ea30b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0df7192-67d3-4c9a-932d-85d683d5b689.vbs

Filesize
706B

MD5
3e29ecf40c69a17e522cb48da854e044

SHA1
de77504f83bda17c3771564097e383a53d0c623b

SHA256
c940c66ca39e49eaf9e4f1ea1ba8c8c0e85ad0a40d79ada1d874b5bbb52a6096

SHA512
beb3d6a230e2f20a0a0e17d03aee4eecb043e4da9441d011b7f4517e2da454046fa80ac237466e4f0a20cf039a729cc7197b4e15a32412156b1c84360229d71c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0d37934b38da28c0384fbe3c81da3e2d

SHA1
4795e5bd208d97f359ba57a66ba8ad6f19daf743

SHA256
7fabd22466a80ed50687ec52e2d0052e3fe9f4b6fd7f5ec52d819415e00ad109

SHA512
b608c2413283204bc58825f4c06a0ba2eecb9ac56e4a0374d9ed10ff6010d831d0beb301b98c622b2285fcc21e3b78bcde7d46493d4c41dce7753e9649c335c0

Download Submit
C:\Windows\ShellNew\sppsvc.exe

Filesize
5.9MB

MD5
18628f177d9d65409edcd32243468463

SHA1
3a4f38e734834cf256823f423c97473bdd302d0d

SHA256
5f1a7a2db7d68970b4d66b93b0dfb2d46aad0130ad5656480bd506a39cf2b8d1

SHA512
04f94255c01323c7ae3a37ebb3af00395afa8d64c249a2a68de4500942e083817a949fc0004a0947e27ef754c313902f6d671b885c35db4a1ae6958907d5d467

Download Submit
memory/1312-256-0x0000000000BC0000-0x0000000000C16000-memory.dmp

Filesize
344KB

Download
memory/1624-242-0x00000000010A0000-0x0000000001998000-memory.dmp

Filesize
9.0MB

Download
memory/1664-207-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2276-13-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2276-38-0x000000001B660000-0x000000001B66A000-memory.dmp

Filesize
40KB

Download
memory/2276-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2276-15-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2276-14-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2276-16-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2276-17-0x0000000000C10000-0x0000000000C66000-memory.dmp

Filesize
344KB

Download
memory/2276-18-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/2276-23-0x0000000000F00000-0x0000000000F12000-memory.dmp

Filesize
72KB

Download
memory/2276-21-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2276-20-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2276-19-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2276-24-0x0000000002C30000-0x0000000002C3C000-memory.dmp

Filesize
48KB

Download
memory/2276-25-0x0000000002C40000-0x0000000002C4C000-memory.dmp

Filesize
48KB

Download
memory/2276-27-0x0000000002C60000-0x0000000002C6C000-memory.dmp

Filesize
48KB

Download
memory/2276-26-0x0000000002C50000-0x0000000002C58000-memory.dmp

Filesize
32KB

Download
memory/2276-28-0x0000000002C70000-0x0000000002C7C000-memory.dmp

Filesize
48KB

Download
memory/2276-30-0x000000001B210000-0x000000001B21C000-memory.dmp

Filesize
48KB

Download
memory/2276-29-0x0000000002C80000-0x0000000002C88000-memory.dmp

Filesize
32KB

Download
memory/2276-31-0x000000001B220000-0x000000001B22A000-memory.dmp

Filesize
40KB

Download
memory/2276-36-0x000000001B640000-0x000000001B64C000-memory.dmp

Filesize
48KB

Download
memory/2276-11-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2276-39-0x000000001B670000-0x000000001B67C000-memory.dmp

Filesize
48KB

Download
memory/2276-37-0x000000001B650000-0x000000001B658000-memory.dmp

Filesize
32KB

Download
memory/2276-35-0x000000001B630000-0x000000001B638000-memory.dmp

Filesize
32KB

Download
memory/2276-34-0x000000001B620000-0x000000001B62E000-memory.dmp

Filesize
56KB

Download
memory/2276-33-0x000000001B240000-0x000000001B248000-memory.dmp

Filesize
32KB

Download
memory/2276-32-0x000000001B230000-0x000000001B23E000-memory.dmp

Filesize
56KB

Download
memory/2276-12-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2276-10-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2276-167-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2276-8-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2276-1-0x0000000000F30000-0x0000000001828000-memory.dmp

Filesize
9.0MB

Download
memory/2276-9-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2276-6-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2276-228-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2276-7-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2276-5-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2276-4-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2276-3-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-214-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2904-230-0x00000000008D0000-0x00000000011C8000-memory.dmp

Filesize
9.0MB

Download