dcrat | 55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2e7cee938a991ef6e4a0fcb64efc69a.exe
Size

3.3MB
MD5

f2e7cee938a991ef6e4a0fcb64efc69a
SHA1

a256643993c2ad1e86be6209dd3cf457ba6e6865
SHA256

b874ba54767cb863c42144303d87a6cba7c13b2cb36d10ecc714b226b1732d03
SHA512

af637f0038ac2afe4ab315c514ceb79540c54c5cd59128a7a1726c022c3846e57fb5d762360b9db5f34605e7134203f058c693edfb8b5d9d07b86dbc346f451b
SSDEEP

49152:7s51kZEsvhP4KUYTMb5C1JyWdLQqFxLCobXK45p4aE:7s5eaKhgKUFCo2LP15s

Score

10^/10

dcrat defense_evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2684	schtasks.exe
		1828	schtasks.exe
		1668	schtasks.exe
		2512	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991		f2e7cee938a991ef6e4a0fcb64efc69a.exe
		2016	schtasks.exe
		2900	schtasks.exe
		2412	schtasks.exe
		2508	schtasks.exe
		1020	schtasks.exe
		592	schtasks.exe
		2916	schtasks.exe
		2356	schtasks.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc		f2e7cee938a991ef6e4a0fcb64efc69a.exe
		2440	schtasks.exe
		2928	schtasks.exe
		2228	schtasks.exe
		2648	schtasks.exe
		1804	schtasks.exe
		592	schtasks.exe
		1592	schtasks.exe
		2516	schtasks.exe
		2680	schtasks.exe
		956	schtasks.exe
		1996	schtasks.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d		f2e7cee938a991ef6e4a0fcb64efc69a.exe
		2176	schtasks.exe
		2752	schtasks.exe
		2832	schtasks.exe
		1736	schtasks.exe
		1296	schtasks.exe
		2424	schtasks.exe
		3020	schtasks.exe
		1728	schtasks.exe
		2704	schtasks.exe
		2380	schtasks.exe
		2848	schtasks.exe
		796	schtasks.exe
		2652	schtasks.exe
		2768	schtasks.exe
		1724	schtasks.exe
		600	schtasks.exe
		2292	schtasks.exe
		3024	schtasks.exe
		2988	schtasks.exe
		2392	schtasks.exe
File created	C:\Program Files\DVD Maker\en-US\42af1c969fbb7b		f2e7cee938a991ef6e4a0fcb64efc69a.exe
		320	schtasks.exe
		1152	schtasks.exe
		2452	schtasks.exe
		2456	schtasks.exe
		2208	schtasks.exe
File created	C:\Program Files\Google\6203df4a6bafc7		f2e7cee938a991ef6e4a0fcb64efc69a.exe
		2648	schtasks.exe
		3044	schtasks.exe
		2216	schtasks.exe
File created	C:\Windows\DigitalLocker\en-US\42af1c969fbb7b		f2e7cee938a991ef6e4a0fcb64efc69a.exe
		860	schtasks.exe
		924	schtasks.exe
		3040	schtasks.exe
		2268	schtasks.exe
		2556	schtasks.exe
		2852	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1984	schtasks.exe	30

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/1420-1-0x00000000013A0000-0x00000000016EE000-memory.dmp	dcrat
behavioral9/files/0x000500000001a4c8-43.dat	dcrat
behavioral9/files/0x000500000001a51b-64.dat	dcrat
behavioral9/files/0x000600000001a466-98.dat	dcrat
behavioral9/files/0x000600000001a4c8-120.dat	dcrat
behavioral9/files/0x000700000001a4d4-131.dat	dcrat
behavioral9/memory/2856-229-0x00000000003F0000-0x000000000073E000-memory.dmp	dcrat
behavioral9/memory/2176-241-0x0000000001380000-0x00000000016CE000-memory.dmp	dcrat
behavioral9/memory/2248-254-0x0000000000080000-0x00000000003CE000-memory.dmp	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2856	lsass.exe
2176	lsass.exe
2248	lsass.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\OSPPSVC.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\MSBuild\wininit.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Google\RCX11F1.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Google\RCX1202.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\1610b97d3ab4a7	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Mozilla Firefox\fonts\5940a34987c991	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\MSBuild\56085415360792	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXFDE.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Google\lsass.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX16F4.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX19D5.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\dllhost.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXFDD.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX16F5.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX1966.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCX1BD8.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\audiodg.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\f3b6ecef712a24	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\MSBuild\wininit.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\DVD Maker\en-US\42af1c969fbb7b	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\7-Zip\Lang\24dbde2999530e	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Mozilla Firefox\fonts\dllhost.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\69ddcba757bf72	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCX1C47.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\DVD Maker\en-US\audiodg.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Program Files\Google\6203df4a6bafc7	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files\Google\lsass.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\dllhost.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Windows\es-ES\5940a34987c991	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\es-ES\RCX1E4B.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\es-ES\dllhost.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\audiodg.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXD5B.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXDD9.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\es-ES\RCX1E4A.tmp	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Windows\Registration\CRMLog\WmiPrvSE.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Windows\Registration\CRMLog\24dbde2999530e	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File opened for modification	C:\Windows\Registration\CRMLog\WmiPrvSE.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Windows\DigitalLocker\en-US\audiodg.exe	f2e7cee938a991ef6e4a0fcb64efc69a.exe
File created	C:\Windows\DigitalLocker\en-US\42af1c969fbb7b	f2e7cee938a991ef6e4a0fcb64efc69a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
2168	schtasks.exe
2292	schtasks.exe
2016	schtasks.exe
1804	schtasks.exe
2440	schtasks.exe
2176	schtasks.exe
1700	schtasks.exe
2076	schtasks.exe
2088	schtasks.exe
2216	schtasks.exe
2864	schtasks.exe
860	schtasks.exe
2424	schtasks.exe
592	schtasks.exe
2648	schtasks.exe
2412	schtasks.exe
688	schtasks.exe
3020	schtasks.exe
1668	schtasks.exe
2556	schtasks.exe
2988	schtasks.exe
924	schtasks.exe
1728	schtasks.exe
320	schtasks.exe
2424	schtasks.exe
2752	schtasks.exe
1668	schtasks.exe
2848	schtasks.exe
2916	schtasks.exe
2780	schtasks.exe
1736	schtasks.exe
1296	schtasks.exe
2832	schtasks.exe
3044	schtasks.exe
2396	schtasks.exe
2608	schtasks.exe
1308	schtasks.exe
2380	schtasks.exe
3040	schtasks.exe
1724	schtasks.exe
2268	schtasks.exe
2704	schtasks.exe
1492	schtasks.exe
2512	schtasks.exe
1020	schtasks.exe
956	schtasks.exe
2868	schtasks.exe
2900	schtasks.exe
2456	schtasks.exe
468	schtasks.exe
2208	schtasks.exe
2228	schtasks.exe
592	schtasks.exe
2356	schtasks.exe
1620	schtasks.exe
2928	schtasks.exe
2768	schtasks.exe
3024	schtasks.exe
1152	schtasks.exe
1976	schtasks.exe
1592	schtasks.exe
2392	schtasks.exe
2516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Token: SeDebugPrivilege	2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Token: SeDebugPrivilege	2856	lsass.exe
Token: SeDebugPrivilege	2176	lsass.exe
Token: SeDebugPrivilege	2248	lsass.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2468	1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe	55
PID 1420 wrote to memory of 2468	1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe	55
PID 1420 wrote to memory of 2468	1420	f2e7cee938a991ef6e4a0fcb64efc69a.exe	55
PID 2468 wrote to memory of 2904	2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe	110
PID 2468 wrote to memory of 2904	2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe	110
PID 2468 wrote to memory of 2904	2468	f2e7cee938a991ef6e4a0fcb64efc69a.exe	110
PID 2904 wrote to memory of 2680	2904	cmd.exe	112
PID 2904 wrote to memory of 2680	2904	cmd.exe	112
PID 2904 wrote to memory of 2680	2904	cmd.exe	112
PID 2904 wrote to memory of 2856	2904	cmd.exe	113
PID 2904 wrote to memory of 2856	2904	cmd.exe	113
PID 2904 wrote to memory of 2856	2904	cmd.exe	113
PID 2856 wrote to memory of 2692	2856	lsass.exe	114
PID 2856 wrote to memory of 2692	2856	lsass.exe	114
PID 2856 wrote to memory of 2692	2856	lsass.exe	114
PID 2856 wrote to memory of 956	2856	lsass.exe	115
PID 2856 wrote to memory of 956	2856	lsass.exe	115
PID 2856 wrote to memory of 956	2856	lsass.exe	115
PID 2692 wrote to memory of 2176	2692	WScript.exe	116
PID 2692 wrote to memory of 2176	2692	WScript.exe	116
PID 2692 wrote to memory of 2176	2692	WScript.exe	116
PID 2176 wrote to memory of 1720	2176	lsass.exe	117
PID 2176 wrote to memory of 1720	2176	lsass.exe	117
PID 2176 wrote to memory of 1720	2176	lsass.exe	117
PID 2176 wrote to memory of 2232	2176	lsass.exe	118
PID 2176 wrote to memory of 2232	2176	lsass.exe	118
PID 2176 wrote to memory of 2232	2176	lsass.exe	118
PID 1720 wrote to memory of 2248	1720	WScript.exe	119
PID 1720 wrote to memory of 2248	1720	WScript.exe	119
PID 1720 wrote to memory of 2248	1720	WScript.exe	119
PID 2248 wrote to memory of 708	2248	lsass.exe	120
PID 2248 wrote to memory of 708	2248	lsass.exe	120
PID 2248 wrote to memory of 708	2248	lsass.exe	120
PID 2248 wrote to memory of 2840	2248	lsass.exe	121
PID 2248 wrote to memory of 2840	2248	lsass.exe	121
PID 2248 wrote to memory of 2840	2248	lsass.exe	121

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f2e7cee938a991ef6e4a0fcb64efc69a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe
"C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1420
- C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe
  "C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p7bBo9DGHW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2680
  - - C:\MSOCache\All Users\lsass.exe
      "C:\MSOCache\All Users\lsass.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb80063-b882-4c22-ae8c-2eac5a3191aa.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf21e2d5-bcb9-4358-b6dc-7dd2f336c069.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93bddda3-a851-4548-adbb-e54fec3368d9.vbs"
        9⤵
        
        PID:708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b4898d-2b8b-4781-beea-5aecf8618bbb.vbs"
        9⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a6bc23-daf1-42bf-add4-67f7e643f7a6.vbs"
        7⤵
        
        PID:2232
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee7b0928-6cb0-4b40-a844-92fc7c00faba.vbs"
        5⤵
        
        PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f2e7cee938a991ef6e4a0fcb64efc69af" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\f2e7cee938a991ef6e4a0fcb64efc69a.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f2e7cee938a991ef6e4a0fcb64efc69a" /sc ONLOGON /tr "'C:\Users\Default\NetHood\f2e7cee938a991ef6e4a0fcb64efc69a.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f2e7cee938a991ef6e4a0fcb64efc69af" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\f2e7cee938a991ef6e4a0fcb64efc69a.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe

Filesize
3.3MB

MD5
f2e7cee938a991ef6e4a0fcb64efc69a

SHA1
a256643993c2ad1e86be6209dd3cf457ba6e6865

SHA256
b874ba54767cb863c42144303d87a6cba7c13b2cb36d10ecc714b226b1732d03

SHA512
af637f0038ac2afe4ab315c514ceb79540c54c5cd59128a7a1726c022c3846e57fb5d762360b9db5f34605e7134203f058c693edfb8b5d9d07b86dbc346f451b

Download Submit
C:\Program Files (x86)\Windows Portable Devices\dllhost.exe

Filesize
3.3MB

MD5
8a36f9b05ad23066c7fb1e76c495f394

SHA1
d4bbf265c916707c0fbe20aff60a9a9f9a0659e1

SHA256
7ea1358c158f45eaad31ff39486a41ec279363ba9c945263b28334760c6e3297

SHA512
4b853dc4254ca965706643449e88b0af4f702bbccd1b8900461b1da99957751529343bae19ea750459c3dbf3b91a29c93a9332be72ed76fb2d55c8392b2dd5fe

Download Submit
C:\Program Files\DVD Maker\en-US\audiodg.exe

Filesize
3.3MB

MD5
aa4628f95342cef03d4113ee2c06c865

SHA1
7dc41782526aa3e564342f4caa1edac40532d5b4

SHA256
8d4526bd40e5f3aca6f56066c6a1a959655ab438e13b5840c8b1b5578ca39725

SHA512
92ea2e7b194de089c9d0df3b8b6ac4092939962df32b6cfaa53b789e41893e7bb4380a6f8eec2c8bfdb5676940e69417029d4537defc1ee1cd4d61f1afb9d4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bb80063-b882-4c22-ae8c-2eac5a3191aa.vbs

Filesize
707B

MD5
e97b333b5d218ea2ab81fed74ba149a3

SHA1
8722171226bc2d9c8e1ad54249d7f01809e1a726

SHA256
cf39ef68b1a504d76525cd957c3dca297a3ef99c7f2c949c688eb9a60c6c3bb2

SHA512
853aaffe2fde22b8f004d90bd8fc4f5194f0c90cec645f470ca44eed23d930c1fc6a46c566b93a23a7e13985dbc5e566ea0497b0399e6dfc938032ae6b6d853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\93bddda3-a851-4548-adbb-e54fec3368d9.vbs

Filesize
707B

MD5
c71ad02e3e0f7af1ccb25fd9fa026206

SHA1
5f3093dd16fb9af35d834a04b8d0a843aa81d829

SHA256
860abeee4f36a20ff7f28b5e4693df3b05c490fe0e8469c5bc00e7ed734f3962

SHA512
43d3ff964925659b368c58e5e43094a724f13a181a7d00d99a24c9d2d941751be0de869f90afb609abcedffae8812880f9de555b5490fb2c1411a827cc4b49f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf21e2d5-bcb9-4358-b6dc-7dd2f336c069.vbs

Filesize
707B

MD5
4d8d7249da9c697b628cf92b91c66b29

SHA1
576f36bda8c449681031900e1c3774c0d54660ee

SHA256
15fb05d88e778b9fa595bb685ccfcd5cadb804717d101edf56310674e9832550

SHA512
37c143a75912b8e5206b73afcb075b8a68993633b48fe97a3aa374e0c15f2f095c3b1aff4f77e0c6e7553472c2b35f1ea3ff0a98e0ce87a8b063d252c6bd2d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee7b0928-6cb0-4b40-a844-92fc7c00faba.vbs

Filesize
483B

MD5
47cfefce6214acf6bc4b601ac68476b8

SHA1
23439332ce6aca5e3372cef94230f381d9d5d684

SHA256
c7ae5085e46b89895e011b0c19048f1b15dda94d29c7f978d4837c241ad9c0a7

SHA512
a98f095cb9199cee1a050fd9bf576e5ff7f0a57b7e7a9e6637e16862df4792cd57e2e5235153a7cb190f46edaccd0fe04e9591d85d9100efe49293a1112c5a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\p7bBo9DGHW.bat

Filesize
196B

MD5
d62447c3f0be72f0aac1cf3659b8be86

SHA1
ba50ebc99731d70ec10438a0564abd338222ce5e

SHA256
80298bdcb99324f333f16d04f86ad00b5919e955602958d19dcf38fb263b9320

SHA512
9508f97bbb516b694371c240a4abd7ea12c6b0690226779f5a06f61c15bd3c086a1f893a3e5737ec963e6a9f71ed45018a084be6a8350fdd753f9ba9b0b781c2

Download Submit
C:\Users\Public\Favorites\winlogon.exe

Filesize
3.3MB

MD5
2c87b08b221d16631449432e54c95305

SHA1
ad9b5c810a74b379394bc255400ac27991452eac

SHA256
887ba39a85fcfa864cad7d8b7108fa69f8291d37221acd0dc9c9c6fbdd2f4b70

SHA512
6102950b9ccef8b27abaa536cbc9c2c324e18cd83207babe8d75fa1dec73d175c87256ef4d20e2ab458a346eaf4c676accb4000cc04453e867413fead13af5dc

Download Submit
C:\Windows\DigitalLocker\en-US\audiodg.exe

Filesize
3.3MB

MD5
863907d0f7fda834f9082d0934c22dac

SHA1
a5e2203e77aa5cbdf09201860b3cff26f2a4568b

SHA256
18a9961015876aab7675a541560c2a85319839258d89820c45400c1ae4dd02a5

SHA512
1f8169756f23a9ad588dcddc3c5b1c6fb88076b8d0b7fa9d1af826c7b4ae37e0dc9626f287d304bb010e9c58c8ba4c009ff6fd95466ffffe6b8ce2c1b9fa576d

Download Submit
memory/1420-13-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/1420-31-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/1420-12-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1420-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1420-14-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1420-15-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1420-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/1420-17-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/1420-18-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1420-19-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/1420-22-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/1420-21-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/1420-23-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/1420-20-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/1420-25-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/1420-24-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1420-26-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1420-27-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

Filesize
56KB

Download
memory/1420-28-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/1420-29-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/1420-30-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/1420-11-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1420-32-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/1420-33-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/1420-34-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/1420-10-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1420-9-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/1420-8-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/1420-7-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1420-6-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/1420-147-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-1-0x00000000013A0000-0x00000000016EE000-memory.dmp

Filesize
3.3MB

Download
memory/1420-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-5-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1420-3-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1420-4-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2176-241-0x0000000001380000-0x00000000016CE000-memory.dmp

Filesize
3.3MB

Download
memory/2176-242-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2248-254-0x0000000000080000-0x00000000003CE000-memory.dmp

Filesize
3.3MB

Download
memory/2468-149-0x0000000000D80000-0x0000000000DD6000-memory.dmp

Filesize
344KB

Download
memory/2468-148-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/2856-230-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/2856-229-0x00000000003F0000-0x000000000073E000-memory.dmp

Filesize
3.3MB

Download