dcrat | 597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Size

5.9MB
MD5

f3e5836ba9def44862cd5adb5d1ad9e5
SHA1

8b74f80ba8799969abe367bf502d9725129ffdeb
SHA256

597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd
SHA512

7f8c313d90a6460f446555170e624256796de3f5771454d836c2c20d67dcd7673ff7fd6c09bb87f14ae55bb18c671821f4106833444b9fd85f45b4235e3f8052
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw46:hyeU11Rvqmu8TWKnF6N/1wN

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 35 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1424	schtasks.exe
		2780	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
		1584	schtasks.exe
		2492	schtasks.exe
		1796	schtasks.exe
		2720	schtasks.exe
		2604	schtasks.exe
		2856	schtasks.exe
		1020	schtasks.exe
		996	schtasks.exe
		2604	schtasks.exe
		2576	schtasks.exe
		2376	schtasks.exe
		3060	schtasks.exe
		2728	schtasks.exe
		600	schtasks.exe
		552	schtasks.exe
		2436	schtasks.exe
		1928	schtasks.exe
		316	schtasks.exe
		2196	schtasks.exe
		828	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\6ccacd8608530f		597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
		2384	schtasks.exe
		2888	schtasks.exe
		2320	schtasks.exe
		2660	schtasks.exe
		2292	schtasks.exe
		1028	schtasks.exe
		1788	schtasks.exe
		2176	schtasks.exe
		2572	schtasks.exe
		1696	schtasks.exe
		796	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2908	schtasks.exe	30

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2960	powershell.exe
2964	powershell.exe
448	powershell.exe
2836	powershell.exe
2972	powershell.exe
1932	powershell.exe
916	powershell.exe
592	powershell.exe
1252	powershell.exe
1592	powershell.exe
1972	powershell.exe
1100	powershell.exe
2860	powershell.exe
2876	powershell.exe
2992	powershell.exe
3020	powershell.exe
960	powershell.exe
3000	powershell.exe
2944	powershell.exe
1100	powershell.exe
1988	powershell.exe
2120	powershell.exe
2032	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Executes dropped EXE 6 IoCs

pid	Process
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1764	smss.exe
1888	smss.exe
548	smss.exe
1116	smss.exe
1724	smss.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1764	smss.exe
1764	smss.exe
1888	smss.exe
1888	smss.exe
548	smss.exe
548	smss.exe
1116	smss.exe
1116	smss.exe
1724	smss.exe
1724	smss.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX9F22.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\6ccacd8608530f	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX9EB3.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\101b941d020240	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Windows Media Player\ja-JP\0a1fd5f707cd16	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2320	schtasks.exe
2384	schtasks.exe
2576	schtasks.exe
2436	schtasks.exe
2376	schtasks.exe
600	schtasks.exe
1028	schtasks.exe
552	schtasks.exe
2856	schtasks.exe
1928	schtasks.exe
1424	schtasks.exe
2780	schtasks.exe
316	schtasks.exe
2196	schtasks.exe
2176	schtasks.exe
3060	schtasks.exe
2720	schtasks.exe
2728	schtasks.exe
2292	schtasks.exe
1788	schtasks.exe
828	schtasks.exe
996	schtasks.exe
2604	schtasks.exe
1796	schtasks.exe
2888	schtasks.exe
1020	schtasks.exe
796	schtasks.exe
2492	schtasks.exe
2572	schtasks.exe
2660	schtasks.exe
2604	schtasks.exe
1696	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
3020	powershell.exe
2960	powershell.exe
2992	powershell.exe
2972	powershell.exe
3000	powershell.exe
2876	powershell.exe
2860	powershell.exe
1932	powershell.exe
1100	powershell.exe
2836	powershell.exe
2944	powershell.exe
2964	powershell.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
1972	powershell.exe
916	powershell.exe
1592	powershell.exe
1252	powershell.exe
1100	powershell.exe
2032	powershell.exe
592	powershell.exe
1988	powershell.exe
2836	powershell.exe
448	powershell.exe
2120	powershell.exe
960	powershell.exe
1764	smss.exe
1764	smss.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1764	smss.exe
Token: SeDebugPrivilege	1888	smss.exe
Token: SeDebugPrivilege	548	smss.exe
Token: SeDebugPrivilege	1116	smss.exe
Token: SeDebugPrivilege	1724	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2860	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	37
PID 1740 wrote to memory of 2860	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	37
PID 1740 wrote to memory of 2860	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	37
PID 1740 wrote to memory of 3000	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	38
PID 1740 wrote to memory of 3000	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	38
PID 1740 wrote to memory of 3000	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	38
PID 1740 wrote to memory of 2836	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	41
PID 1740 wrote to memory of 2836	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	41
PID 1740 wrote to memory of 2836	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	41
PID 1740 wrote to memory of 2876	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	42
PID 1740 wrote to memory of 2876	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	42
PID 1740 wrote to memory of 2876	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	42
PID 1740 wrote to memory of 2944	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	43
PID 1740 wrote to memory of 2944	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	43
PID 1740 wrote to memory of 2944	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	43
PID 1740 wrote to memory of 2960	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	45
PID 1740 wrote to memory of 2960	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	45
PID 1740 wrote to memory of 2960	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	45
PID 1740 wrote to memory of 2972	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	46
PID 1740 wrote to memory of 2972	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	46
PID 1740 wrote to memory of 2972	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	46
PID 1740 wrote to memory of 2992	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	47
PID 1740 wrote to memory of 2992	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	47
PID 1740 wrote to memory of 2992	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	47
PID 1740 wrote to memory of 3020	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	48
PID 1740 wrote to memory of 3020	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	48
PID 1740 wrote to memory of 3020	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	48
PID 1740 wrote to memory of 2964	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	49
PID 1740 wrote to memory of 2964	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	49
PID 1740 wrote to memory of 2964	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	49
PID 1740 wrote to memory of 1100	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	51
PID 1740 wrote to memory of 1100	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	51
PID 1740 wrote to memory of 1100	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	51
PID 1740 wrote to memory of 1932	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	54
PID 1740 wrote to memory of 1932	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	54
PID 1740 wrote to memory of 1932	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	54
PID 1740 wrote to memory of 1652	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	61
PID 1740 wrote to memory of 1652	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	61
PID 1740 wrote to memory of 1652	1740	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	61
PID 1652 wrote to memory of 2172	1652	cmd.exe	63
PID 1652 wrote to memory of 2172	1652	cmd.exe	63
PID 1652 wrote to memory of 2172	1652	cmd.exe	63
PID 1652 wrote to memory of 2056	1652	cmd.exe	64
PID 1652 wrote to memory of 2056	1652	cmd.exe	64
PID 1652 wrote to memory of 2056	1652	cmd.exe	64
PID 2056 wrote to memory of 448	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	92
PID 2056 wrote to memory of 448	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	92
PID 2056 wrote to memory of 448	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	92
PID 2056 wrote to memory of 916	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	93
PID 2056 wrote to memory of 916	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	93
PID 2056 wrote to memory of 916	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	93
PID 2056 wrote to memory of 592	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	94
PID 2056 wrote to memory of 592	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	94
PID 2056 wrote to memory of 592	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	94
PID 2056 wrote to memory of 1988	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	95
PID 2056 wrote to memory of 1988	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	95
PID 2056 wrote to memory of 1988	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	95
PID 2056 wrote to memory of 1252	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	96
PID 2056 wrote to memory of 1252	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	96
PID 2056 wrote to memory of 1252	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	96
PID 2056 wrote to memory of 1592	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	97
PID 2056 wrote to memory of 1592	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	97
PID 2056 wrote to memory of 1592	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	97
PID 2056 wrote to memory of 1972	2056	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	98

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
"C:\Users\Admin\AppData\Local\Temp\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe"
1⤵
- DcRat
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mVhHsYW9nd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
    "C:\Users\Admin\AppData\Local\Temp\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1764
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00c56e36-7743-4558-9cd2-f648dc1bf037.vbs"
        5⤵
        
        PID:2652
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\831ce2b3-c212-4705-981a-518463b70f72.vbs"
        7⤵
        
        PID:2436
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc806308-5fea-49d3-9497-03ae5e1faaca.vbs"
        9⤵
        
        PID:600
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2d76a60-48a6-436e-a2f5-28cd0236daee.vbs"
        11⤵
        
        PID:860
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7a90f27-00eb-426f-84e2-9dc5737bc2fe.vbs"
        13⤵
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52474f11-ea5d-488c-b6c3-8f5f1d317eb3.vbs"
        13⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f37ff0ad-16df-4001-9364-b8697d9981a0.vbs"
        11⤵
        
        PID:340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67eee592-c297-42fb-9fee-6bf6d5f668a8.vbs"
        9⤵
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b657fb55-3e25-4745-a1dc-04905a935509.vbs"
        7⤵
        
        PID:1620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3b7d8fd-3908-4753-a27e-be11626ea040.vbs"
        5⤵
        
        PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd5" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd5" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe

Filesize
5.9MB

MD5
09f47400621bb84acfe890592d1e7d27

SHA1
9ccdc7ee10153a2f13587f9beeba41fb9d2b86d0

SHA256
c4bf5203d45068735d82becec8bd1d954416746a3f3b1c5a8af0614f15b17a04

SHA512
61c61ad8053058a7f26699fa5f81924e4fedad59af3f624bfc36a0b201d2e1d4d20a6370105a95625a7138977175bacf0e9eec0977b33332a38197051ec47e77

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Filesize
5.9MB

MD5
f3e5836ba9def44862cd5adb5d1ad9e5

SHA1
8b74f80ba8799969abe367bf502d9725129ffdeb

SHA256
597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd

SHA512
7f8c313d90a6460f446555170e624256796de3f5771454d836c2c20d67dcd7673ff7fd6c09bb87f14ae55bb18c671821f4106833444b9fd85f45b4235e3f8052

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c56e36-7743-4558-9cd2-f648dc1bf037.vbs

Filesize
747B

MD5
349e5ad8eaeafc9f6445431dd4f02f92

SHA1
7945fe730556f9af80214babbea1e97ecfb25f28

SHA256
fec69ad0cc90bc4e24fa0b89fb4102f3ed3e146c7d842fba384506ff90679aa2

SHA512
40d5b35f4c52065673bd5308663dcfd3b56b8006782837bbbf239f04b67967fb360ba09e8a2ca31a1aef04239d2149bee1b99393404e6cb42fe84d3a1c7ce158

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ce2b3-c212-4705-981a-518463b70f72.vbs

Filesize
747B

MD5
35bb150cf90a17e3a0d38a459948231c

SHA1
2704ac2deed0b7a642e01be501f0dc3a86eee341

SHA256
7499da2b35682c81db71585fe2278cc9dcc03c16408ca813644c7f06e55c1dc9

SHA512
f6251aac4a96f9c04f50d2c1a608f0c22ddb1b129014beac21a2e69f56152f91a8d393a2399e3c0981c2893e136eef56c4b85e8907e98acf1f40f34184b8f10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a90f27-00eb-426f-84e2-9dc5737bc2fe.vbs

Filesize
747B

MD5
92e1c5920eac04f5e11694dba5adfd0b

SHA1
56cd2d1960d88642e2f18c2da40d2d525680f88c

SHA256
78900a035f3c59385cb5b105db0856fc9f0013658c07436b9c38d658d8db98d4

SHA512
fb59a57146a0cd6bcbaa28e842a6e37b2416ea118488c603de7ed7d45e527e6ee85310139af048611bef0552940eb514e7be104d6c99d8901b379fd2e0db8a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d76a60-48a6-436e-a2f5-28cd0236daee.vbs

Filesize
747B

MD5
ebf4ce6c924d7aff1fb755010854e536

SHA1
1f9f9800c899d87b0387c5555d8b506420a1d72a

SHA256
cba5f0ff8e097b50cda7809923f5d12db2f29e2247de2cc2668f5535d04ead35

SHA512
dbedcee3474d3de72a6ddd3cc92bf29fcb2af7f7108582a0b8db29b50b671d3bef491fd72ed9896aafd9c244afc39a9bd756b955f1681de73cff57c1d5a428d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d340cfc41efbe2ea92c3f17f122f568ff863e5f6.exe

Filesize
5.9MB

MD5
b3e0d6529de262deff31ab58c99e536e

SHA1
29957c1f5d835f07fe06231cbae2408c9bf79251

SHA256
29ccf71cc17235df2aa30ec134bc20ae1058f2837f32685f5658e5021482eed8

SHA512
cbf48afdbddef1c59719ce27c200b4e715030e61ef3fa98f79535e81088f99a56c4d4aedadb847b447bfd15dbb282d13336da614927471acfa69519ea27d69eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3b7d8fd-3908-4753-a27e-be11626ea040.vbs

Filesize
523B

MD5
d0b4aa8eff4b0a66e7f919eac395f44c

SHA1
5dee0ed1231d1182d88dbf828844b6678500b791

SHA256
1b341988cba98eaf97d4032dadba9773a3363dcd36c0489f41f59095281719ef

SHA512
ff452011f0d2e230f2b9af4bdd4c9c84b063f67cc97d1e0aaa477b77c5ed48d7587b7ab3454b6564af8200a6e467a64564bbe5ce11e9c6f361238534a2c34721

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc806308-5fea-49d3-9497-03ae5e1faaca.vbs

Filesize
746B

MD5
ddac75069b6c9df23b32eca1d408a891

SHA1
b2e376c48c7c453ffe9ffa887a4cd6ba4a6993c7

SHA256
5e26df5af357dae3f27200e255b3d4e75e92e73e16944e4c63f4df0140edf8d3

SHA512
7e7e23506d045bba07b1f12a04dd2740ba580408ea3ddfc24ad4df03cc70da9d7d6788868c8befc03e71a9befcd0ea316fe0a804e921348edfcf8e0989aa043b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mVhHsYW9nd.bat

Filesize
267B

MD5
2909ebd077b92081971509bfa93879b2

SHA1
3c12a5f02faad09233c2227306310eb30a8813b2

SHA256
f944305c320bd290f8168a922e120745da61250099a45f4f54327448d3ec4995

SHA512
ac487a5ab4f5d68154dd2f17a3660893c69576244250c63d94235b991697b6f30126b8b06419379ad26501fc0126773730b652e82fc09a2289041edb0ba56073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e531da0dd6f7e7a0d8fcacba01cef04

SHA1
8ff63ebb36257854f8d26cb8afcc3e8b67a154bc

SHA256
2a84c2abe97da6073e27c7be6ce2efa3a23327cc14a85c9174df775e20b13cda

SHA512
55c5a1762c9c9ace6e7f21df17bb9642b580964e7deae8fa44d696f534b3d8bd2791b85f327c4efea028d23b88b5a4b59d6470b794b92302663315852dd91388

Download Submit
memory/1116-286-0x0000000000270000-0x0000000000B68000-memory.dmp

Filesize
9.0MB

Download
memory/1116-288-0x0000000002B20000-0x0000000002B32000-memory.dmp

Filesize
72KB

Download
memory/1724-300-0x0000000000E20000-0x0000000001718000-memory.dmp

Filesize
9.0MB

Download
memory/1724-302-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1724-303-0x000000001B480000-0x000000001B492000-memory.dmp

Filesize
72KB

Download
memory/1740-33-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/1740-132-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-19-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/1740-20-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/1740-21-0x00000000011D0000-0x00000000011D8000-memory.dmp

Filesize
32KB

Download
memory/1740-23-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download
memory/1740-24-0x00000000011F0000-0x00000000011FC000-memory.dmp

Filesize
48KB

Download
memory/1740-25-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/1740-26-0x000000001B510000-0x000000001B518000-memory.dmp

Filesize
32KB

Download
memory/1740-27-0x000000001B520000-0x000000001B52C000-memory.dmp

Filesize
48KB

Download
memory/1740-28-0x000000001B530000-0x000000001B53C000-memory.dmp

Filesize
48KB

Download
memory/1740-29-0x000000001B540000-0x000000001B548000-memory.dmp

Filesize
32KB

Download
memory/1740-30-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/1740-31-0x000000001B940000-0x000000001B94A000-memory.dmp

Filesize
40KB

Download
memory/1740-32-0x000000001B950000-0x000000001B95E000-memory.dmp

Filesize
56KB

Download
memory/1740-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/1740-34-0x000000001B970000-0x000000001B97E000-memory.dmp

Filesize
56KB

Download
memory/1740-35-0x000000001B980000-0x000000001B988000-memory.dmp

Filesize
32KB

Download
memory/1740-36-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/1740-37-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

Filesize
32KB

Download
memory/1740-38-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/1740-39-0x000000001BAC0000-0x000000001BACC000-memory.dmp

Filesize
48KB

Download
memory/1740-17-0x0000000000D70000-0x0000000000DC6000-memory.dmp

Filesize
344KB

Download
memory/1740-16-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/1740-15-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/1740-18-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/1740-1-0x0000000001200000-0x0000000001AF8000-memory.dmp

Filesize
9.0MB

Download
memory/1740-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1740-14-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/1740-3-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1740-5-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/1740-6-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1740-13-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1740-7-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/1740-8-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/1740-12-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/1740-11-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1740-9-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/1740-10-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/1764-200-0x00000000011C0000-0x0000000001AB8000-memory.dmp

Filesize
9.0MB

Download
memory/1888-262-0x0000000000F50000-0x0000000000FA6000-memory.dmp

Filesize
344KB

Download
memory/1972-188-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1972-187-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2056-143-0x000000001B8B0000-0x000000001B8C2000-memory.dmp

Filesize
72KB

Download
memory/2056-142-0x000000001B820000-0x000000001B876000-memory.dmp

Filesize
344KB

Download
memory/2056-140-0x0000000001330000-0x0000000001C28000-memory.dmp

Filesize
9.0MB

Download
memory/3020-105-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/3020-110-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download