dcrat | ec57a5693533b024615c157ec0e3867b2eb73a65a12c20501ef8ff00ffd8f65c

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Size

5.9MB
MD5

7c2f113ba8a501582e5be7ba0c0bf0fb
SHA1

ff9cf8d30af6127eb666f6beef694468aa4635e9
SHA256

de9937ea08cc871fea712bab7d3206d845f302b33cf1c469ec57f26017abf196
SHA512

86cb31695c72d27f26acfa889726be42a24fe8e4ea63b18b6c6d485ea4a0a26199b8dced77fb2dea3da10643307cf11ab5abd52f8b8b85a3e70bb121f037b7b8
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4j:RyeU11Rvqmu8TWKnF6N/1wW

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2448	powershell.exe
444	powershell.exe
744	powershell.exe
2828	powershell.exe
2928	powershell.exe
2936	powershell.exe
2668	powershell.exe
1840	powershell.exe
2584	powershell.exe
2772	powershell.exe
2944	powershell.exe
2920	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Executes dropped EXE 3 IoCs

pid	Process
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\taskhost.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\0a1fd5f707cd16	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXDCCA.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXE674.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files\Windows Mail\en-US\OSPPSVC.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXEB0A.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXEF22.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files\Windows Mail\en-US\1610b97d3ab4a7	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXE673.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXEA9C.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXEF23.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXDCDA.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\OSPPSVC.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\schemas\AvailableNetwork\csrss.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File created	C:\Windows\schemas\AvailableNetwork\886983d96e3d3e	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXE887.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXE888.tmp	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\csrss.exe	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2396	schtasks.exe
1660	schtasks.exe
2608	schtasks.exe
1236	schtasks.exe
1668	schtasks.exe
1952	schtasks.exe
2524	schtasks.exe
2468	schtasks.exe
2908	schtasks.exe
2112	schtasks.exe
2564	schtasks.exe
2292	schtasks.exe
2756	schtasks.exe
1756	schtasks.exe
2620	schtasks.exe
2636	schtasks.exe
976	schtasks.exe
2148	schtasks.exe
1308	schtasks.exe
2884	schtasks.exe
2336	schtasks.exe
3004	schtasks.exe
2992	schtasks.exe
1480	schtasks.exe
1376	schtasks.exe
1832	schtasks.exe
2956	schtasks.exe
2924	schtasks.exe
2916	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2828	powershell.exe
2772	powershell.exe
2584	powershell.exe
444	powershell.exe
1840	powershell.exe
2928	powershell.exe
744	powershell.exe
2668	powershell.exe
2944	powershell.exe
2936	powershell.exe
2920	powershell.exe
2448	powershell.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Token: SeDebugPrivilege	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Token: SeDebugPrivilege	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2928	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	62
PID 2192 wrote to memory of 2928	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	62
PID 2192 wrote to memory of 2928	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	62
PID 2192 wrote to memory of 2828	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	63
PID 2192 wrote to memory of 2828	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	63
PID 2192 wrote to memory of 2828	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	63
PID 2192 wrote to memory of 2920	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	65
PID 2192 wrote to memory of 2920	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	65
PID 2192 wrote to memory of 2920	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	65
PID 2192 wrote to memory of 2944	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	66
PID 2192 wrote to memory of 2944	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	66
PID 2192 wrote to memory of 2944	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	66
PID 2192 wrote to memory of 2772	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	67
PID 2192 wrote to memory of 2772	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	67
PID 2192 wrote to memory of 2772	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	67
PID 2192 wrote to memory of 2584	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	69
PID 2192 wrote to memory of 2584	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	69
PID 2192 wrote to memory of 2584	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	69
PID 2192 wrote to memory of 744	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	70
PID 2192 wrote to memory of 744	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	70
PID 2192 wrote to memory of 744	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	70
PID 2192 wrote to memory of 1840	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	72
PID 2192 wrote to memory of 1840	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	72
PID 2192 wrote to memory of 1840	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	72
PID 2192 wrote to memory of 444	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	73
PID 2192 wrote to memory of 444	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	73
PID 2192 wrote to memory of 444	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	73
PID 2192 wrote to memory of 2448	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	78
PID 2192 wrote to memory of 2448	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	78
PID 2192 wrote to memory of 2448	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	78
PID 2192 wrote to memory of 2668	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	80
PID 2192 wrote to memory of 2668	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	80
PID 2192 wrote to memory of 2668	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	80
PID 2192 wrote to memory of 2936	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	81
PID 2192 wrote to memory of 2936	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	81
PID 2192 wrote to memory of 2936	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	81
PID 2192 wrote to memory of 2664	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	86
PID 2192 wrote to memory of 2664	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	86
PID 2192 wrote to memory of 2664	2192	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	86
PID 2664 wrote to memory of 3044	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	87
PID 2664 wrote to memory of 3044	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	87
PID 2664 wrote to memory of 3044	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	87
PID 2664 wrote to memory of 1604	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	88
PID 2664 wrote to memory of 1604	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	88
PID 2664 wrote to memory of 1604	2664	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	88
PID 3044 wrote to memory of 2636	3044	WScript.exe	89
PID 3044 wrote to memory of 2636	3044	WScript.exe	89
PID 3044 wrote to memory of 2636	3044	WScript.exe	89
PID 2636 wrote to memory of 2632	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	90
PID 2636 wrote to memory of 2632	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	90
PID 2636 wrote to memory of 2632	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	90
PID 2636 wrote to memory of 2936	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	91
PID 2636 wrote to memory of 2936	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	91
PID 2636 wrote to memory of 2936	2636	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	91
PID 2632 wrote to memory of 2096	2632	WScript.exe	93
PID 2632 wrote to memory of 2096	2632	WScript.exe	93
PID 2632 wrote to memory of 2096	2632	WScript.exe	93
PID 2096 wrote to memory of 2652	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	94
PID 2096 wrote to memory of 2652	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	94
PID 2096 wrote to memory of 2652	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	94
PID 2096 wrote to memory of 2728	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	95
PID 2096 wrote to memory of 2728	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	95
PID 2096 wrote to memory of 2728	2096	7c2f113ba8a501582e5be7ba0c0bf0fb.exe	95

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2f113ba8a501582e5be7ba0c0bf0fb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7c2f113ba8a501582e5be7ba0c0bf0fb.exe
"C:\Users\Admin\AppData\Local\Temp\7c2f113ba8a501582e5be7ba0c0bf0fb.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe
  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d33d4819-e60e-468a-9e14-1c0def5d4171.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe
      "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2636
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8a121d0-f5ea-439d-b17c-3fd524d46912.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0618f4d5-fd0e-4aa0-96b2-ee716b7712e4.vbs"
        7⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2db30fb5-6207-4fb3-aee4-7f3d28055bb8.vbs"
        7⤵
        
        PID:2728
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee3b99d-c350-40dc-bfa1-0fee450bc52e.vbs"
        5⤵
        
        PID:2936
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fac4e62-0bab-4e05-a7e3-3c5f4eb29346.vbs"
    3⤵
    PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2f113ba8a501582e5be7ba0c0bf0fb7" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\7c2f113ba8a501582e5be7ba0c0bf0fb.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2f113ba8a501582e5be7ba0c0bf0fb" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\7c2f113ba8a501582e5be7ba0c0bf0fb.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2f113ba8a501582e5be7ba0c0bf0fb7" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\7c2f113ba8a501582e5be7ba0c0bf0fb.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\AvailableNetwork\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\AvailableNetwork\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2f113ba8a501582e5be7ba0c0bf0fb7" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2f113ba8a501582e5be7ba0c0bf0fb" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2f113ba8a501582e5be7ba0c0bf0fb7" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\7c2f113ba8a501582e5be7ba0c0bf0fb.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

Filesize
5.9MB

MD5
6cb94c7c6173647c26e8f91d720d129b

SHA1
1389952417b80c51085c3d22ac74721e6670c0c4

SHA256
819ce30590e01acda085f7b6410551cdc8cb68bee3e434faf28fda6ddb0d7688

SHA512
678d4253132ca364e2e2367c9f9aaa9bd33f4d14b9b659f663f2017b5dce17c4f32fc9984830a631bd8b579b6f70b68987aecbb806178a74a0531b1f5fedc475

Download Submit
C:\Program Files (x86)\Google\Temp\taskhost.exe

Filesize
5.9MB

MD5
7c2f113ba8a501582e5be7ba0c0bf0fb

SHA1
ff9cf8d30af6127eb666f6beef694468aa4635e9

SHA256
de9937ea08cc871fea712bab7d3206d845f302b33cf1c469ec57f26017abf196

SHA512
86cb31695c72d27f26acfa889726be42a24fe8e4ea63b18b6c6d485ea4a0a26199b8dced77fb2dea3da10643307cf11ab5abd52f8b8b85a3e70bb121f037b7b8

Download Submit
C:\Program Files\Windows Mail\en-US\OSPPSVC.exe

Filesize
5.9MB

MD5
eb04fcdd69aaf866183f4f7c0d40ef47

SHA1
c9d94ee9564e1a64aebfd3b2c2de11dfddfa94f2

SHA256
5eff7b6f764d4de46be594ac5f54bbb97f7de3300901f571b9313f23eb1834c7

SHA512
49172a658b85a1e72f1753dd4996de1bfc1e0dd9c9d6e1914af6866ef5f304712cc7058a35203c4c206010000b4ed860ba488fc57169fb4bf391cd822242cca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0618f4d5-fd0e-4aa0-96b2-ee716b7712e4.vbs

Filesize
775B

MD5
3d3bcd32e881e4bf1fff117122e144fa

SHA1
136e9f7bdfff8e8861127bd89b548017f9ef189b

SHA256
4bdbeb66ea2d1dc9f5817cde48e75b831544cfc56ab0e1162f32b321f6bfd938

SHA512
27e31396d2dd600c33fa5aff7391f8239778adc6a0e6c780dcf30bc565d38b79daab3f62113738447e24d78acba82a5a8e3368ac3ff879d2ece8c177fb7cdc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fac4e62-0bab-4e05-a7e3-3c5f4eb29346.vbs

Filesize
551B

MD5
fdeca83a83c8ad6bd57e9db51ed4faa3

SHA1
28aadbcf2145cb032aa18659930dcbb5f1bb2fc3

SHA256
80cf632cd690cc9bef8256408bf3397802d8145fd745104b0f3f9af09a969d82

SHA512
15e2c8652ba19caba8e60c2f92040655eb06f90ce22408de3423e4d38fc5a06eb33266f84b82e8368919aff82032704fca903ffb8b5f3c1055a8497b917a287a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8a121d0-f5ea-439d-b17c-3fd524d46912.vbs

Filesize
775B

MD5
d563710dca3ca41a02cade254a6fcf9d

SHA1
94116ac67f66a14887e702fe970ab6df4f7b6bd4

SHA256
3a045f34b2fb8c9a9f90be4b1a8dc5569c17a68d07db9d3c7189c5eec90c8cbc

SHA512
9b7968ea56a1be10c0058feddbfe918230695803d17163b1707ed3dfba9a92c85606752e049e71312e0bef5a6c7c7bb9e87e4107455ef472d919f42354bf91a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d33d4819-e60e-468a-9e14-1c0def5d4171.vbs

Filesize
775B

MD5
b4baf957abd3045bc4f2af7f7fdcbe3f

SHA1
cf73ef0aa7a1a5c8c5a595cd70eb15df6dac0507

SHA256
0d75b80ba637134782ca6e12781816ba5f6e6e257b020361931eb20fee1811f7

SHA512
e76ce23fe792ff8b5392392ff5864f979a9bf648631412ed0dce2e00389c50e916af7011cb9ea2d207a4923dcdc0e91911746161deb0a7ab3b83864ce3205835

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d560852d267f6e0f4ab5b3ac12d30f8

SHA1
331fab22c223feb69402bd46df292da0e562eb27

SHA256
4b11cbe2a8e50549c486c26a2854384c534554c1c035053af4e82b8f30d88c30

SHA512
25ef199d48e73f45e135e1776aeec6840ef15d90558df9c89bee1e99b159194550635925c542dc0420fd77e4b34159ae909ffaa18487bd166d8fe5f0be7635d8

Download Submit
memory/2096-279-0x0000000000A50000-0x0000000001348000-memory.dmp

Filesize
9.0MB

Download
memory/2192-15-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2192-34-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/2192-30-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/2192-38-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/2192-39-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/2192-16-0x00000000012C0000-0x00000000012CA000-memory.dmp

Filesize
40KB

Download
memory/2192-13-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/2192-37-0x000000001BD00000-0x000000001BD08000-memory.dmp

Filesize
32KB

Download
memory/2192-36-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/2192-14-0x0000000001250000-0x0000000001258000-memory.dmp

Filesize
32KB

Download
memory/2192-18-0x000000001B450000-0x000000001B45C000-memory.dmp

Filesize
48KB

Download
memory/2192-33-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

Filesize
32KB

Download
memory/2192-32-0x000000001BBB0000-0x000000001BBBE000-memory.dmp

Filesize
56KB

Download
memory/2192-31-0x000000001BBA0000-0x000000001BBAA000-memory.dmp

Filesize
40KB

Download
memory/2192-29-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/2192-28-0x000000001BB70000-0x000000001BB7C000-memory.dmp

Filesize
48KB

Download
memory/2192-27-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/2192-26-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/2192-25-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/2192-21-0x000000001B480000-0x000000001B488000-memory.dmp

Filesize
32KB

Download
memory/2192-20-0x000000001B470000-0x000000001B47C000-memory.dmp

Filesize
48KB

Download
memory/2192-19-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/2192-24-0x000000001B980000-0x000000001B98C000-memory.dmp

Filesize
48KB

Download
memory/2192-17-0x0000000001350000-0x00000000013A6000-memory.dmp

Filesize
344KB

Download
memory/2192-35-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

Filesize
32KB

Download
memory/2192-12-0x0000000001240000-0x0000000001252000-memory.dmp

Filesize
72KB

Download
memory/2192-11-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2192-10-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2192-8-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2192-7-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/2192-6-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2192-5-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/2192-9-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2192-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x00000000013A0000-0x0000000001C98000-memory.dmp

Filesize
9.0MB

Download
memory/2192-246-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-23-0x000000001B490000-0x000000001B4A2000-memory.dmp

Filesize
72KB

Download
memory/2192-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2192-3-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-4-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/2636-263-0x00000000002B0000-0x0000000000BA8000-memory.dmp

Filesize
9.0MB

Download
memory/2636-265-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/2636-266-0x000000001AFF0000-0x000000001B046000-memory.dmp

Filesize
344KB

Download
memory/2636-267-0x000000001B460000-0x000000001B472000-memory.dmp

Filesize
72KB

Download
memory/2664-252-0x000000001B050000-0x000000001B0A6000-memory.dmp

Filesize
344KB

Download
memory/2664-214-0x0000000000F20000-0x0000000001818000-memory.dmp

Filesize
9.0MB

Download
memory/2828-200-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-215-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download