dcrat | f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
133s
max time network
154s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec1c209b158ca6a09569dab997a10da.exe
Size

5.9MB
MD5

6ec1c209b158ca6a09569dab997a10da
SHA1

1edc7c6f32e6b4ebc5faf5a522ed5992fc73bedf
SHA256

44c8df0ee91d3ab2825961ab81fed1370c75c034ef717b2baa192c2430eb65a3
SHA512

821d17198941051e5bd354fe5ea3fded5e196cd41b900714f9d68bb25baecca306160c695790649d7f3a48bdacb2ec7d9eebd6a184e756501dcdc726d98fd857
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4v:RyeU11Rvqmu8TWKnF6N/1wq

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2452	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2452	schtasks.exe	28

UAC bypass 3 TTPs 9 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
2592	powershell.exe
1276	powershell.exe
2604	powershell.exe
2856	powershell.exe
2796	powershell.exe
2424	powershell.exe
2388	powershell.exe
2580	powershell.exe
2688	powershell.exe
2696	powershell.exe
2664	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6ec1c209b158ca6a09569dab997a10da.exe

Executes dropped EXE 2 IoCs

pid	Process
888	services.exe
344	services.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
888	services.exe
888	services.exe
344	services.exe
344	services.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Program Files\Windows Mail\ja-JP\explorer.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Program Files\Windows Mail\ja-JP\7a0fd90576e088	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXAA65.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXACE6.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXACE7.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\explorer.exe	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXAAE2.tmp	6ec1c209b158ca6a09569dab997a10da.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\system\1b98b8bebcee32	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXB875.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXB876.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\CSC\RCXBAF6.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\Web\RCXBF9D.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\LiveKernelReports\dwm.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\CSC\f3b6ecef712a24	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\Web\winlogon.exe	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXAEFB.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\Vss\Writers\System\wininit.exe	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\Web\RCXBF9C.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\system\6ec1c209b158ca6a09569dab997a10da.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\system\6ec1c209b158ca6a09569dab997a10da.exe	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXAF3A.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\CSC\RCXBB36.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\CSC\spoolsv.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\Vss\Writers\System\56085415360792	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\CSC\spoolsv.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\Web\cc11b995f2a76d	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\LiveKernelReports\dwm.exe	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\Web\winlogon.exe	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\system\RCXC1B0.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File opened for modification	C:\Windows\system\RCXC21E.tmp	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\Vss\Writers\System\wininit.exe	6ec1c209b158ca6a09569dab997a10da.exe
File created	C:\Windows\LiveKernelReports\6cb0b6c459d5d3	6ec1c209b158ca6a09569dab997a10da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1840	schtasks.exe
2596	schtasks.exe
1796	schtasks.exe
320	schtasks.exe
1636	schtasks.exe
3056	schtasks.exe
3040	schtasks.exe
1960	schtasks.exe
396	schtasks.exe
828	schtasks.exe
2672	schtasks.exe
2732	schtasks.exe
2628	schtasks.exe
2024	schtasks.exe
2080	schtasks.exe
2916	schtasks.exe
2624	schtasks.exe
1324	schtasks.exe
3008	schtasks.exe
2260	schtasks.exe
3036	schtasks.exe
832	schtasks.exe
1888	schtasks.exe
1820	schtasks.exe
2228	schtasks.exe
2188	schtasks.exe
2756	schtasks.exe
2776	schtasks.exe
2788	schtasks.exe
1228	schtasks.exe
2744	schtasks.exe
1440	schtasks.exe
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
2696	powershell.exe
1068	6ec1c209b158ca6a09569dab997a10da.exe
2664	powershell.exe
1276	powershell.exe
2604	powershell.exe
2688	powershell.exe
2796	powershell.exe
2388	powershell.exe
2424	powershell.exe
2592	powershell.exe
2580	powershell.exe
2912	powershell.exe
2856	powershell.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	6ec1c209b158ca6a09569dab997a10da.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	888	services.exe
Token: SeDebugPrivilege	344	services.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2388	1068	6ec1c209b158ca6a09569dab997a10da.exe	62
PID 1068 wrote to memory of 2388	1068	6ec1c209b158ca6a09569dab997a10da.exe	62
PID 1068 wrote to memory of 2388	1068	6ec1c209b158ca6a09569dab997a10da.exe	62
PID 1068 wrote to memory of 2664	1068	6ec1c209b158ca6a09569dab997a10da.exe	63
PID 1068 wrote to memory of 2664	1068	6ec1c209b158ca6a09569dab997a10da.exe	63
PID 1068 wrote to memory of 2664	1068	6ec1c209b158ca6a09569dab997a10da.exe	63
PID 1068 wrote to memory of 2424	1068	6ec1c209b158ca6a09569dab997a10da.exe	65
PID 1068 wrote to memory of 2424	1068	6ec1c209b158ca6a09569dab997a10da.exe	65
PID 1068 wrote to memory of 2424	1068	6ec1c209b158ca6a09569dab997a10da.exe	65
PID 1068 wrote to memory of 2796	1068	6ec1c209b158ca6a09569dab997a10da.exe	67
PID 1068 wrote to memory of 2796	1068	6ec1c209b158ca6a09569dab997a10da.exe	67
PID 1068 wrote to memory of 2796	1068	6ec1c209b158ca6a09569dab997a10da.exe	67
PID 1068 wrote to memory of 2696	1068	6ec1c209b158ca6a09569dab997a10da.exe	68
PID 1068 wrote to memory of 2696	1068	6ec1c209b158ca6a09569dab997a10da.exe	68
PID 1068 wrote to memory of 2696	1068	6ec1c209b158ca6a09569dab997a10da.exe	68
PID 1068 wrote to memory of 2856	1068	6ec1c209b158ca6a09569dab997a10da.exe	69
PID 1068 wrote to memory of 2856	1068	6ec1c209b158ca6a09569dab997a10da.exe	69
PID 1068 wrote to memory of 2856	1068	6ec1c209b158ca6a09569dab997a10da.exe	69
PID 1068 wrote to memory of 2688	1068	6ec1c209b158ca6a09569dab997a10da.exe	70
PID 1068 wrote to memory of 2688	1068	6ec1c209b158ca6a09569dab997a10da.exe	70
PID 1068 wrote to memory of 2688	1068	6ec1c209b158ca6a09569dab997a10da.exe	70
PID 1068 wrote to memory of 2604	1068	6ec1c209b158ca6a09569dab997a10da.exe	71
PID 1068 wrote to memory of 2604	1068	6ec1c209b158ca6a09569dab997a10da.exe	71
PID 1068 wrote to memory of 2604	1068	6ec1c209b158ca6a09569dab997a10da.exe	71
PID 1068 wrote to memory of 2912	1068	6ec1c209b158ca6a09569dab997a10da.exe	72
PID 1068 wrote to memory of 2912	1068	6ec1c209b158ca6a09569dab997a10da.exe	72
PID 1068 wrote to memory of 2912	1068	6ec1c209b158ca6a09569dab997a10da.exe	72
PID 1068 wrote to memory of 2592	1068	6ec1c209b158ca6a09569dab997a10da.exe	73
PID 1068 wrote to memory of 2592	1068	6ec1c209b158ca6a09569dab997a10da.exe	73
PID 1068 wrote to memory of 2592	1068	6ec1c209b158ca6a09569dab997a10da.exe	73
PID 1068 wrote to memory of 1276	1068	6ec1c209b158ca6a09569dab997a10da.exe	74
PID 1068 wrote to memory of 1276	1068	6ec1c209b158ca6a09569dab997a10da.exe	74
PID 1068 wrote to memory of 1276	1068	6ec1c209b158ca6a09569dab997a10da.exe	74
PID 1068 wrote to memory of 2580	1068	6ec1c209b158ca6a09569dab997a10da.exe	75
PID 1068 wrote to memory of 2580	1068	6ec1c209b158ca6a09569dab997a10da.exe	75
PID 1068 wrote to memory of 2580	1068	6ec1c209b158ca6a09569dab997a10da.exe	75
PID 1068 wrote to memory of 1492	1068	6ec1c209b158ca6a09569dab997a10da.exe	86
PID 1068 wrote to memory of 1492	1068	6ec1c209b158ca6a09569dab997a10da.exe	86
PID 1068 wrote to memory of 1492	1068	6ec1c209b158ca6a09569dab997a10da.exe	86
PID 1492 wrote to memory of 1120	1492	cmd.exe	88
PID 1492 wrote to memory of 1120	1492	cmd.exe	88
PID 1492 wrote to memory of 1120	1492	cmd.exe	88
PID 1492 wrote to memory of 888	1492	cmd.exe	91
PID 1492 wrote to memory of 888	1492	cmd.exe	91
PID 1492 wrote to memory of 888	1492	cmd.exe	91
PID 888 wrote to memory of 2416	888	services.exe	92
PID 888 wrote to memory of 2416	888	services.exe	92
PID 888 wrote to memory of 2416	888	services.exe	92
PID 888 wrote to memory of 2692	888	services.exe	93
PID 888 wrote to memory of 2692	888	services.exe	93
PID 888 wrote to memory of 2692	888	services.exe	93
PID 2416 wrote to memory of 344	2416	WScript.exe	94
PID 2416 wrote to memory of 344	2416	WScript.exe	94
PID 2416 wrote to memory of 344	2416	WScript.exe	94
PID 344 wrote to memory of 2896	344	services.exe	95
PID 344 wrote to memory of 2896	344	services.exe	95
PID 344 wrote to memory of 2896	344	services.exe	95
PID 344 wrote to memory of 856	344	services.exe	96
PID 344 wrote to memory of 856	344	services.exe	96
PID 344 wrote to memory of 856	344	services.exe	96

System policy modification 1 TTPs 9 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6ec1c209b158ca6a09569dab997a10da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ec1c209b158ca6a09569dab997a10da.exe
"C:\Users\Admin\AppData\Local\Temp\6ec1c209b158ca6a09569dab997a10da.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2jWrKESR9g.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1120
- - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe
    "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:888
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67438c48-70b6-49dc-99cf-681d004ddf3c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6affe3ab-ce95-4c1d-9df3-8ec0c5e244a2.vbs"
        6⤵
        
        PID:2896
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe"
        7⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e0b6903-5d05-49d3-ae65-0c1e5de08cce.vbs"
        8⤵
        
        PID:1120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45e159f8-701d-44d6-8b06-c4cfcf56b5be.vbs"
        8⤵
        
        PID:1576
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34674c34-dd94-498c-8bb1-82e5b2855851.vbs"
        6⤵
        
        PID:856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cec37a3-2a66-48ee-8aad-e301640c82f3.vbs"
      4⤵
      PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6ec1c209b158ca6a09569dab997a10da6" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\6ec1c209b158ca6a09569dab997a10da.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6ec1c209b158ca6a09569dab997a10da" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\6ec1c209b158ca6a09569dab997a10da.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6ec1c209b158ca6a09569dab997a10da6" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\6ec1c209b158ca6a09569dab997a10da.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\CSC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Web\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6ec1c209b158ca6a09569dab997a10da6" /sc MINUTE /mo 14 /tr "'C:\Windows\system\6ec1c209b158ca6a09569dab997a10da.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6ec1c209b158ca6a09569dab997a10da" /sc ONLOGON /tr "'C:\Windows\system\6ec1c209b158ca6a09569dab997a10da.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6ec1c209b158ca6a09569dab997a10da6" /sc MINUTE /mo 12 /tr "'C:\Windows\system\6ec1c209b158ca6a09569dab997a10da.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\6ec1c209b158ca6a09569dab997a10da.exe

Filesize
5.9MB

MD5
6ec1c209b158ca6a09569dab997a10da

SHA1
1edc7c6f32e6b4ebc5faf5a522ed5992fc73bedf

SHA256
44c8df0ee91d3ab2825961ab81fed1370c75c034ef717b2baa192c2430eb65a3

SHA512
821d17198941051e5bd354fe5ea3fded5e196cd41b900714f9d68bb25baecca306160c695790649d7f3a48bdacb2ec7d9eebd6a184e756501dcdc726d98fd857

Download Submit
C:\Program Files (x86)\Windows Media Player\csrss.exe

Filesize
5.9MB

MD5
8f2e49fdca6824aa86e1af72ed39efe2

SHA1
1c5e4ae30ce9ddd271d5f2a237097cd1f4aec522

SHA256
85033b0a42b1989c97bde1106831f3c8bbbbcf6996ad45d49713b67e763a0ffa

SHA512
1b40b492981b77561cbb9071508cced1cde4568ba51ea45dd9363707348107fa3cab5cf77bfa983fb19c92ca458cf3234249499239eae0693e6b1e5c6e73ab47

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jWrKESR9g.bat

Filesize
249B

MD5
f59d9547c37a6bb56739ac05150e0b74

SHA1
f1b8cf5f633e3f0b181e1126d56140d42e5be832

SHA256
7194e20f1b1a38179491ac77b23b7af5842e85c3318bab4fb4c86e9314dbfb14

SHA512
2195f43814ea286d2d428b5e2078b441819a64cd9363b6edd12be4e095f986de0feae652d83589004acc230bf59d00cc1006c7d078e8a6e2795faa750174d151

Download Submit
C:\Users\Admin\AppData\Local\Temp\67438c48-70b6-49dc-99cf-681d004ddf3c.vbs

Filesize
759B

MD5
739b4c62ce34af5acfcbafa96ad9467a

SHA1
6ba574623a5d20b80d60ccfcf7253decb6dc3490

SHA256
de1e8073d784b831aa7924c729dfeff53683499ad007fc45cc8a41178641b5c8

SHA512
5cad569e9c65aaf846c06eaa5fc9f3991f50263744abc9e464a48f7bf61e74dbe115980f98a7828a317b2c1ae004c3dba56d0880f562833ac4da17a954f3b8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6affe3ab-ce95-4c1d-9df3-8ec0c5e244a2.vbs

Filesize
759B

MD5
b3e2c7fb6d629ba765e3f7156ff6efd1

SHA1
61ac32166367439d795dac102f7144ac2e765ee3

SHA256
9f70f173406466ec2db372b4480c7abfccc7c5668e5dd6be3be79d4390be58ab

SHA512
09d5499090cbb00c5ccacafe987e34e04b93796ad0fa0cde39621b02bb093a00aea0ca067ab008363157acbacaa1201b390231ba03f2108823c1bd0937af4560

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e0b6903-5d05-49d3-ae65-0c1e5de08cce.vbs

Filesize
760B

MD5
346f66706a4f88dedac984016d1f289b

SHA1
16acda362a37c5d56253a5c7eab11c6c0b81e583

SHA256
b93f25fa6542d9ea043883623fff4397f9b54f2f4aa1e7921c6ca845440dd824

SHA512
e73e6c38934464d02ed1d117277ba5438e3a37e58caf08c04389d9d4737586118edc7e1d8c8bfd6edd28c04626d0e5af37c520d6bcfdc6d5b77f5a52fea969d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cec37a3-2a66-48ee-8aad-e301640c82f3.vbs

Filesize
536B

MD5
f247d0fe9847567b0897553739deabe4

SHA1
40cb74ad8a1989986ede1c91d270f2e64415db51

SHA256
281cde218b089aeda96075dde7bc1afc711d3aeeb672e34ba4951c0ad3196f84

SHA512
3cacf408c68f8a5c713d17add1d5a932bb7cfd70ffa088965697b62d66d5726891f96e3c36db98c6db8e31f7ad9210dc83d695d56d49629a52a1d2e456de4a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3e0a0cf0352128e64b5038755933859b

SHA1
f3b4013646ea98719f997d910016b451b6739581

SHA256
d090c6624200ecb155f1cce5b206ed15f5ff8ca14e3271deb6979299f503fe1d

SHA512
c95f3c8ec3755d452a963025a12069dbd9e4d5b2d4d7e8d2422a8ec48cb0838aba3c9666cbf79858010900792e4b3075a09b992aa4aca8e3af39082e37dfdde5

Download Submit
C:\Windows\system\6ec1c209b158ca6a09569dab997a10da.exe

Filesize
5.9MB

MD5
9c6e17cc4a2609063c62aabbe4ae7a0e

SHA1
3db2494cd4694281e9d922099cdea0ac9b09950c

SHA256
85a6e417632e69304ec9d83a3244483004729fa9e7c0437199cc7fa8a9c4aaca

SHA512
73493ed05cb14b8f1f175bde1b33598fcacc49489a590a05567ec8d564c122d223d2ca49a89e5268eaf5b49a7c19878416dbb5ce13e172ee4a58a18ddf57e62a

Download Submit
memory/344-279-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/888-266-0x0000000001080000-0x0000000001978000-memory.dmp

Filesize
9.0MB

Download
memory/1068-16-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/1068-36-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download
memory/1068-13-0x00000000028C0000-0x00000000028CC000-memory.dmp

Filesize
48KB

Download
memory/1068-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/1068-15-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/1068-17-0x0000000002970000-0x00000000029C6000-memory.dmp

Filesize
344KB

Download
memory/1068-14-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1068-20-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

Filesize
48KB

Download
memory/1068-23-0x000000001B070000-0x000000001B082000-memory.dmp

Filesize
72KB

Download
memory/1068-21-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/1068-19-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/1068-18-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/1068-25-0x000000001B0B0000-0x000000001B0BC000-memory.dmp

Filesize
48KB

Download
memory/1068-28-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

Filesize
48KB

Download
memory/1068-27-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

Filesize
48KB

Download
memory/1068-26-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/1068-30-0x000000001B200000-0x000000001B20C000-memory.dmp

Filesize
48KB

Download
memory/1068-29-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

Filesize
32KB

Download
memory/1068-33-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/1068-34-0x000000001B610000-0x000000001B61E000-memory.dmp

Filesize
56KB

Download
memory/1068-38-0x000000001BA80000-0x000000001BA8A000-memory.dmp

Filesize
40KB

Download
memory/1068-37-0x000000001BA70000-0x000000001BA78000-memory.dmp

Filesize
32KB

Download
memory/1068-39-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/1068-6-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/1068-35-0x000000001B620000-0x000000001B628000-memory.dmp

Filesize
32KB

Download
memory/1068-32-0x000000001B5F0000-0x000000001B5FE000-memory.dmp

Filesize
56KB

Download
memory/1068-31-0x000000001B5E0000-0x000000001B5EA000-memory.dmp

Filesize
40KB

Download
memory/1068-24-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

Filesize
48KB

Download
memory/1068-8-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/1068-11-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/1068-184-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/1068-12-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/1068-9-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/1068-1-0x0000000000120000-0x0000000000A18000-memory.dmp

Filesize
9.0MB

Download
memory/1068-2-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1068-248-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1068-10-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download
memory/1068-7-0x0000000000F60000-0x0000000000F7C000-memory.dmp

Filesize
112KB

Download
memory/1068-5-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

Filesize
56KB

Download
memory/1068-4-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/1068-3-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-206-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2696-207-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2736-292-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2736-293-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download