dcrat | cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Size

1.5MB
MD5

9113e61fefe783afc64305785fe21230
SHA1

0175acf449d5a5c337373aad116391dbf1eb5bc1
SHA256

cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764
SHA512

eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2264	schtasks.exe
		3976	schtasks.exe
		3088	schtasks.exe
		3832	schtasks.exe
		1668	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
		3876	schtasks.exe
		2704	schtasks.exe
		1856	schtasks.exe
File created	C:\Windows\System32\BCP47Langs\66fc9ff0ee96c2		cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\", \"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\", \"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\", \"C:\\Windows\\setuperr\\explorer.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\", \"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\", \"C:\\Windows\\setuperr\\explorer.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\microsoft.system.package.metadata\\RuntimeBroker.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\", \"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\", \"C:\\Windows\\setuperr\\explorer.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\microsoft.system.package.metadata\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Cortana.Internal.Search\\SearchApp.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\", \"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\", \"C:\\Windows\\setuperr\\explorer.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\microsoft.system.package.metadata\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Cortana.Internal.Search\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\", \"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\", \"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\", \"C:\\Windows\\setuperr\\explorer.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\microsoft.system.package.metadata\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Cortana.Internal.Search\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Windows\\System32\\oleaut32\\RuntimeBroker.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2184	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2184	schtasks.exe	81

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 14 IoCs

pid	Process
1532	unsecapp.exe
2956	unsecapp.exe
3888	unsecapp.exe
4448	unsecapp.exe
3916	unsecapp.exe
4068	unsecapp.exe
1448	unsecapp.exe
2040	unsecapp.exe
3964	unsecapp.exe
3884	unsecapp.exe
2424	unsecapp.exe
2244	unsecapp.exe
2124	unsecapp.exe
1852	unsecapp.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Cortana.Internal.Search\\SearchApp.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\oleaut32\\RuntimeBroker.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\ProgramData\\SoftwareDistribution\\unsecapp.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\setuperr\\explorer.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\microsoft.system.package.metadata\\RuntimeBroker.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\microsoft.system.package.metadata\\RuntimeBroker.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Cortana.Internal.Search\\SearchApp.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\BCP47Langs\\sihost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\oleaut32\\RuntimeBroker.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\setuperr\\explorer.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\AarSvc\\fontdrvhost.exe\""	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\AarSvc\fontdrvhost.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\oleaut32\RuntimeBroker.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\BCP47Langs\RCXB293.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\AarSvc\RCXB719.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\oleaut32\RuntimeBroker.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\BCP47Langs\66fc9ff0ee96c2	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\BCP47Langs\sihost.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\AarSvc\5b884080fd4f94	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\oleaut32\9e8d7a4ca61bd9	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\AarSvc\fontdrvhost.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\System32\oleaut32\RCXC324.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\System32\BCP47Langs\sihost.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\SearchApp.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\setuperr\RCXB9CA.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RuntimeBroker.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\setuperr\7a0fd90576e088	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RuntimeBroker.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\38384e6a620884	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\setuperr\explorer.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RCXBBDE.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\RCXBE02.tmp	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\SearchApp.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\setuperr\explorer.exe	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\9e8d7a4ca61bd9	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3832	schtasks.exe
1668	schtasks.exe
2704	schtasks.exe
1856	schtasks.exe
2264	schtasks.exe
3876	schtasks.exe
3976	schtasks.exe
3088	schtasks.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	unsecapp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
4292	powershell.exe
4940	powershell.exe
2080	powershell.exe
4468	powershell.exe
4972	powershell.exe
2688	powershell.exe
4408	powershell.exe
1776	powershell.exe
1776	powershell.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
4940	powershell.exe
4940	powershell.exe
4292	powershell.exe
4292	powershell.exe
2080	powershell.exe
2080	powershell.exe
1776	powershell.exe
4468	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1532	unsecapp.exe
Token: SeDebugPrivilege	2956	unsecapp.exe
Token: SeDebugPrivilege	3888	unsecapp.exe
Token: SeDebugPrivilege	4448	unsecapp.exe
Token: SeDebugPrivilege	3916	unsecapp.exe
Token: SeDebugPrivilege	4068	unsecapp.exe
Token: SeDebugPrivilege	1448	unsecapp.exe
Token: SeDebugPrivilege	2040	unsecapp.exe
Token: SeDebugPrivilege	3964	unsecapp.exe
Token: SeDebugPrivilege	3884	unsecapp.exe
Token: SeDebugPrivilege	2424	unsecapp.exe
Token: SeDebugPrivilege	2244	unsecapp.exe
Token: SeDebugPrivilege	2124	unsecapp.exe
Token: SeDebugPrivilege	1852	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 2080	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	90
PID 3328 wrote to memory of 2080	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	90
PID 3328 wrote to memory of 1776	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	91
PID 3328 wrote to memory of 1776	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	91
PID 3328 wrote to memory of 4408	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	107
PID 3328 wrote to memory of 4408	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	107
PID 3328 wrote to memory of 2340	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	106
PID 3328 wrote to memory of 2340	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	106
PID 3328 wrote to memory of 4292	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	105
PID 3328 wrote to memory of 4292	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	105
PID 3328 wrote to memory of 4468	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	104
PID 3328 wrote to memory of 4468	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	104
PID 3328 wrote to memory of 4972	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	103
PID 3328 wrote to memory of 4972	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	103
PID 3328 wrote to memory of 4940	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	102
PID 3328 wrote to memory of 4940	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	102
PID 3328 wrote to memory of 2688	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	100
PID 3328 wrote to memory of 2688	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	100
PID 3328 wrote to memory of 4528	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	108
PID 3328 wrote to memory of 4528	3328	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe	108
PID 4528 wrote to memory of 4672	4528	cmd.exe	110
PID 4528 wrote to memory of 4672	4528	cmd.exe	110
PID 4528 wrote to memory of 1532	4528	cmd.exe	113
PID 4528 wrote to memory of 1532	4528	cmd.exe	113
PID 1532 wrote to memory of 2968	1532	unsecapp.exe	116
PID 1532 wrote to memory of 2968	1532	unsecapp.exe	116
PID 1532 wrote to memory of 2912	1532	unsecapp.exe	117
PID 1532 wrote to memory of 2912	1532	unsecapp.exe	117
PID 2968 wrote to memory of 2956	2968	WScript.exe	121
PID 2968 wrote to memory of 2956	2968	WScript.exe	121
PID 2956 wrote to memory of 2772	2956	unsecapp.exe	122
PID 2956 wrote to memory of 2772	2956	unsecapp.exe	122
PID 2956 wrote to memory of 4576	2956	unsecapp.exe	123
PID 2956 wrote to memory of 4576	2956	unsecapp.exe	123
PID 2772 wrote to memory of 3888	2772	WScript.exe	125
PID 2772 wrote to memory of 3888	2772	WScript.exe	125
PID 3888 wrote to memory of 1912	3888	unsecapp.exe	126
PID 3888 wrote to memory of 1912	3888	unsecapp.exe	126
PID 3888 wrote to memory of 4364	3888	unsecapp.exe	127
PID 3888 wrote to memory of 4364	3888	unsecapp.exe	127
PID 1912 wrote to memory of 4448	1912	WScript.exe	128
PID 1912 wrote to memory of 4448	1912	WScript.exe	128
PID 4448 wrote to memory of 2012	4448	unsecapp.exe	129
PID 4448 wrote to memory of 2012	4448	unsecapp.exe	129
PID 4448 wrote to memory of 2964	4448	unsecapp.exe	130
PID 4448 wrote to memory of 2964	4448	unsecapp.exe	130
PID 2012 wrote to memory of 3916	2012	WScript.exe	131
PID 2012 wrote to memory of 3916	2012	WScript.exe	131
PID 3916 wrote to memory of 1600	3916	unsecapp.exe	132
PID 3916 wrote to memory of 1600	3916	unsecapp.exe	132
PID 3916 wrote to memory of 2916	3916	unsecapp.exe	133
PID 3916 wrote to memory of 2916	3916	unsecapp.exe	133
PID 1600 wrote to memory of 4068	1600	WScript.exe	134
PID 1600 wrote to memory of 4068	1600	WScript.exe	134
PID 4068 wrote to memory of 1592	4068	unsecapp.exe	135
PID 4068 wrote to memory of 1592	4068	unsecapp.exe	135
PID 4068 wrote to memory of 2952	4068	unsecapp.exe	136
PID 4068 wrote to memory of 2952	4068	unsecapp.exe	136
PID 1592 wrote to memory of 1448	1592	WScript.exe	137
PID 1592 wrote to memory of 1448	1592	WScript.exe	137
PID 1448 wrote to memory of 4696	1448	unsecapp.exe	138
PID 1448 wrote to memory of 4696	1448	unsecapp.exe	138
PID 4696 wrote to memory of 2040	4696	WScript.exe	139
PID 4696 wrote to memory of 2040	4696	WScript.exe	139

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe
"C:\Users\Admin\AppData\Local\Temp\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\BCP47Langs\sihost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\oleaut32\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\SearchApp.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\setuperr\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\AarSvc\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\unsecapp.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lis0NcRGPy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4672
- - C:\ProgramData\SoftwareDistribution\unsecapp.exe
    "C:\ProgramData\SoftwareDistribution\unsecapp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1532
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153acc10-919b-4c02-92d2-8e59d3155083.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\233a3a85-c056-460e-8bb3-526dd76b5336.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffcd9573-f40f-497c-821e-8ec5d445af3c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6dc543f-f00d-427c-b966-dfd45ed386ca.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b7ae888-8abe-4631-a9f5-eb03a70e1f20.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46194380-15c5-485c-93ec-555534332b9a.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bca3b087-5aaf-4cb3-b328-a5506289cc1f.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a34ec6ad-aae3-4c48-83c2-bf7277f74278.vbs"
        18⤵
        
        PID:3636
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4543e22-cfd9-4d9e-ba04-e254e10ec8da.vbs"
        20⤵
        
        PID:3400
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2b4942a-308a-4d08-8aaa-e5067a8adf03.vbs"
        22⤵
        
        PID:3916
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28979b7e-85d5-44b3-9a61-3355d7d5b660.vbs"
        24⤵
        
        PID:2204
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b94f26d-7726-4432-b703-e0356a113461.vbs"
        26⤵
        
        PID:2280
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29bc65f6-8c02-48e9-a3cb-d7bc77961f9a.vbs"
        28⤵
        
        PID:1628
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        
        C:\ProgramData\SoftwareDistribution\unsecapp.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b407cb-475a-44ea-b683-89dc8541e66e.vbs"
        30⤵
        
        PID:3336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448e171f-d435-47be-8403-c8e17869b84e.vbs"
        30⤵
        
        PID:608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9878d36b-eeeb-4957-97cd-b91fc84e475f.vbs"
        28⤵
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa7b7d7c-993c-4e38-acb5-ba07eda059b7.vbs"
        26⤵
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbdfb18e-a81f-4df9-a43c-7b959f76d16d.vbs"
        24⤵
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1695982-6627-440d-a42f-4c036623ec57.vbs"
        22⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ea7ffc7-d343-4aaa-84f4-c1007536a7a0.vbs"
        20⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41ee64ae-57a1-433a-a39e-3d66e52acf0b.vbs"
        18⤵
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f199a35b-1186-4345-9db2-4a3e246d00fe.vbs"
        14⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c1c6d87-1520-4558-ae84-cd83d07a7cfc.vbs"
        12⤵
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7cfda7f-add3-4630-a6fc-150f21877733.vbs"
        10⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d36e93e6-e90d-4767-b276-2935740a0f39.vbs"
        8⤵
        
        PID:4364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d52e80bd-acb9-4ccd-96c1-d73a52bd609d.vbs"
        6⤵
        
        PID:4576
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26e0e473-d95b-45cb-9554-7ccdeace6eee.vbs"
      4⤵
      PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\BCP47Langs\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\AarSvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\setuperr\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\oleaut32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\ProgramData\SoftwareDistribution\unsecapp.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b7ae888-8abe-4631-a9f5-eb03a70e1f20.vbs

Filesize
724B

MD5
b911ed76cc8e5461428f6711263fd27a

SHA1
bd9d703f8227e238ed7e0532efa51131255bee44

SHA256
2c4d43800cf06b70466274bf294376177c42b781129fd8c2e072dc1913b293fe

SHA512
c3d66b378ec7e27e9ea5ba877099234ab20d6f65d7a840b9d4de9f4323b453eb56c24e5d606fd98dcd702e1877d79d8d6c62b54fa3ba7200f353c6713081c4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\153acc10-919b-4c02-92d2-8e59d3155083.vbs

Filesize
724B

MD5
1d3c055653d8d867753b41c57fc371b3

SHA1
17582346f85ed0e903d96961cf4a881240410236

SHA256
47861fb9b741f6e3f3219841555b0c0b08fc7eb478ae5d4a3e3f618f12278ee4

SHA512
4e9d326b0dbbc6a1f9c1b74039c7ef91618ae74ec633a115741abe4b81fd2c9d8bc1d80429492c56e148563a8c973b7bb8beaec241751ce66785e8e5ae7c5ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\233a3a85-c056-460e-8bb3-526dd76b5336.vbs

Filesize
724B

MD5
17b4e4b41c38638395dac0adedd1e7a4

SHA1
1ad143d480fb21762f44c122ffbbe8dbaae5ba44

SHA256
8865776598843e5d9910be3659249097cb1a87244d568af12829dd4cdc41f77c

SHA512
5896687c1a7329eb3c1eadb2a590e11ba503fbe34f9d761a5fdc61235f1379ef2ef38ac31a6bc51c33fb19cacf0c43cddcee12f996c7aefe72ccecba80c0d448

Download Submit
C:\Users\Admin\AppData\Local\Temp\26e0e473-d95b-45cb-9554-7ccdeace6eee.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\28979b7e-85d5-44b3-9a61-3355d7d5b660.vbs

Filesize
724B

MD5
443b406dcb4f65c1abc2d5a68e95b1ed

SHA1
ee3751dc1eec796588628dc798ca7901b1ad365a

SHA256
b5f8c01f5f5ad18eee4e3bb434144af4df30b1a44a425f47e7dcaa286c13b148

SHA512
98f5555d9822132861a80ff85c9d4680f2f0758058e3fc6a7a67578134ffd6f8b29c4e58a2849e71c71ba3071d65825b766b727d3a97f725a6be14c41acb6671

Download Submit
C:\Users\Admin\AppData\Local\Temp\29bc65f6-8c02-48e9-a3cb-d7bc77961f9a.vbs

Filesize
724B

MD5
460351be6e0e4c20cc4c68dd67b86382

SHA1
b3837d94cac0d3da63a9cb72241f19f961684a6f

SHA256
647beb437e119f24e210a1afa7b59a7fd9fe9b1b3839a0a6b2e87327865535c7

SHA512
f86f235699e42fe84d443da695c37d56863ec8c837a7d42322e1d2f123d210e6527b82634078b7f610429e5d533b46e14177231cdbbb3d80d6281effb680a5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79da2d5cc14ad47ab45ff6b4a3c6211753b2ff.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41ee64ae-57a1-433a-a39e-3d66e52acf0b.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\46194380-15c5-485c-93ec-555534332b9a.vbs

Filesize
724B

MD5
29c729bece9ba598367ae4504aff3df4

SHA1
cd58145738291ecba43c7d7506bb6af3d925052c

SHA256
ec2bb765d33d9fc799a459f2e810b6f3949dad758e3675311a3a5c363ce99304

SHA512
18195d2a8415f38be0acb6afae8fbc511570cffbe34578809e0ffd5533bbb7e543863b045faa1836ca3b495bb878f7e13c8b87199dc637bbd27944e43e6984eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\60b407cb-475a-44ea-b683-89dc8541e66e.vbs

Filesize
724B

MD5
7656c15d181f58b8758582ff904cffc7

SHA1
d9f7a8c89257935f440ab8fdf3c65394055c5db3

SHA256
47a40694d582e5d7358f92f0a517e5b016fc4d63bce8250221f2b96df228caa4

SHA512
5a03a7ded1303f0fea681984fb4dc90fa3e1df841dbe390965ce76c24a5fb515f6eb6706779f21d9cc909e662f8c776b9b1c9b7f16fa18310574296b907b4138

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b94f26d-7726-4432-b703-e0356a113461.vbs

Filesize
724B

MD5
60612636fbe43e000fdcbfa3ebaaf228

SHA1
bc7a931e1c20e9691864c28e437589b3693aaea1

SHA256
c3b26e0a5668a1075779005beaa4be5f18a531fa72b6b59ddebf68a830e80403

SHA512
655b7f88bf411097a27c628e7baa1968b4724d28cb38353efacf358817d1d89670fa74a60d2ab4ed7b8828d0d9a7ea2e8d243325ac2f7bf16da378556b129b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c1c6d87-1520-4558-ae84-cd83d07a7cfc.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ea7ffc7-d343-4aaa-84f4-c1007536a7a0.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\9878d36b-eeeb-4957-97cd-b91fc84e475f.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lis0NcRGPy.bat

Filesize
212B

MD5
32cbd7415b0a1665c671c3a695f1c2dd

SHA1
89c896800208ca5ff309ae79e2009b779851ab2d

SHA256
309078be788f312634b982fcd078e840703163940b801af466463587b991a879

SHA512
406453f1494cb75f47278ebfbfb3b3ee882d86c0f48fb36e951adccf5ec366775f4e0a7f2a0c424ef0095d046c6ac2fbd84612b3dbdd1d438bd74b89538af682

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjkplrmc.dsk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1695982-6627-440d-a42f-4c036623ec57.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\a34ec6ad-aae3-4c48-83c2-bf7277f74278.vbs

Filesize
724B

MD5
328c2ad25427c2ee88f96ba841b2993e

SHA1
25251770b969f0a8e4296731808f4ef17d70e096

SHA256
2a246f22592ffa633a4d50a7073f1933e15fc0c3899a624d40adaeea6429b7a6

SHA512
db6de8c4c8becbf8d9afcc1ae2d39c242ba056745d29f4c31253a4dbb1c1af52b256d50150277bea711f8db65ccc5477f2f825bcf576e0b77c85ca9e505379ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa7b7d7c-993c-4e38-acb5-ba07eda059b7.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdfb18e-a81f-4df9-a43c-7b959f76d16d.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\bca3b087-5aaf-4cb3-b328-a5506289cc1f.vbs

Filesize
724B

MD5
d9ba6d282a76a9cf14a84fb860539105

SHA1
d8e18bb0293d4539a080d0f69d1cc88d23d0f540

SHA256
9c162431290768883ee0e87114145f1918c2baa289e2441e223dedefbed8b8d7

SHA512
30ad2161206432f5d6565b8dd9fa1f4d57dda2466b76bd0602d2e271f08987b43b42e07e4f5e2e894ac5dbd1b69abfd6a1527fb83fa28310f2770be56758c871

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4543e22-cfd9-4d9e-ba04-e254e10ec8da.vbs

Filesize
724B

MD5
ac0332588f8f34bba4f82a87b834d4c7

SHA1
b51fc7c35fe3a083f33615e9ed3e1cf589514de4

SHA256
471946a55b9bac89bcd0fa02c5b3995b57873386cfb0a55a617573992f676f91

SHA512
4b2210600458deb349bdd73af840dbc81fbd64d8f848a8e703d51d6a3cb41d4597fc25da472cf0346c0783e33c557b05b9827a771a432bb53729b3e65a662d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6dc543f-f00d-427c-b966-dfd45ed386ca.vbs

Filesize
724B

MD5
70c966a95b034af0076db23e0cd7d598

SHA1
959335e967f39c328f54a63356c4145e17b497a7

SHA256
7d189f49b2a48538eba3081dcdc5b2f94a5b0b7543159605f2c5d126d687499c

SHA512
31f2b05032f869c9c6091d96ede112e1326634528659418cc2f44b2417009c1f2830ee809ad430cf33b22b27d0c58dcc4d9de21ea28603755f6818acc99784da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d36e93e6-e90d-4767-b276-2935740a0f39.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\d52e80bd-acb9-4ccd-96c1-d73a52bd609d.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\d52e80bd-acb9-4ccd-96c1-d73a52bd609d.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7cfda7f-add3-4630-a6fc-150f21877733.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\f199a35b-1186-4345-9db2-4a3e246d00fe.vbs

Filesize
500B

MD5
9767409bf64d960ae6bd9b0fdf2f95ca

SHA1
ff89f54b640971b0e709aabc8df4314a7be4d1f1

SHA256
cf2f745d4b53b615a874867b3d2e97ba62d16e7aab0fc763b8160139db773d30

SHA512
d8cc5afa7fa9d522be91c3463fc0dc42af775d063ec3a94e989aeb87bda01564b0bbf87d056c4b234eb5972c0773464e68681286c7516219c8bb20e2d5cdd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2b4942a-308a-4d08-8aaa-e5067a8adf03.vbs

Filesize
724B

MD5
8fe0ec0cb0f1b9efbbe14b7ce23650bd

SHA1
a5b9e302a95fca8c0d3332ae7c7efef9dc2bce12

SHA256
6c7b963140f5ea4b4088e630e3c783a48d7b25ce54f4600a89f56ddb921a36ed

SHA512
8bafb524f6c2e9a5c7f055806cdb7fa9880e54459b0c579de1f5128697447e33bf2314c0defacf712919c03dd20326a0488b42231042ac4286a406ecc5ab605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffcd9573-f40f-497c-821e-8ec5d445af3c.vbs

Filesize
724B

MD5
9b034c1b36a4d03cbf013fbdd4379b01

SHA1
349cdbedff68737f71cfb9d30c3a1d7d587d165e

SHA256
2f3b59c726d58911999f971a152eccc8a6683d9b1719c71349e8b28591fa2bab

SHA512
0b8fac1b4af62edf4f04e5417e3832888d3822028a0c6b0bba5b96391370416a60950dce5570a736f0fc83f2fd7c574c6511e49758cd943eb332877ad7161c52

Download Submit
C:\Windows\System32\oleaut32\RCXC324.tmp

Filesize
1.5MB

MD5
52eaa7b56c4cf4b09dc087311f3d1963

SHA1
2ec20856be671d8d6e4c2d442fe5bc29a62894fb

SHA256
11bd27325679c13746f5d7719b464e4682415bd449f2fb179bac2fc316d595ba

SHA512
649edc4b8e62c9deaa519d4ff975351bbd474d73b4776359ab9af73507042b252150faba9066b54b6b98774f53e3a4b29d3c921f240ddf531287ef337930ac79

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\RuntimeBroker.exe

Filesize
1.5MB

MD5
9113e61fefe783afc64305785fe21230

SHA1
0175acf449d5a5c337373aad116391dbf1eb5bc1

SHA256
cfd6a8c2a6c63b1059110bb8a6792668e56cdaa74e307b629fae37054e3c5764

SHA512
eea9e0b14423df677e25fe16b83d2f97f6992719030fb20a7e77b5159b4bca82853217bb4b4a0f826ff3264c96ec064dcbdb403a5cdd7e0c4a2135572a8dc2e6

Download Submit
memory/1776-210-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1776-120-0x0000013934820000-0x0000013934842000-memory.dmp

Filesize
136KB

Download
memory/1776-222-0x000001394CE30000-0x000001394CE40000-memory.dmp

Filesize
64KB

Download
memory/1776-214-0x000001394CE30000-0x000001394CE40000-memory.dmp

Filesize
64KB

Download
memory/2080-110-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2080-219-0x00000281CBCF0000-0x00000281CBD00000-memory.dmp

Filesize
64KB

Download
memory/2080-213-0x00000281CBCF0000-0x00000281CBD00000-memory.dmp

Filesize
64KB

Download
memory/2340-218-0x000001B5DBBD0000-0x000001B5DBBE0000-memory.dmp

Filesize
64KB

Download
memory/2340-232-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-205-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-206-0x000001B5DBBD0000-0x000001B5DBBE0000-memory.dmp

Filesize
64KB

Download
memory/2340-211-0x000001B5DBBD0000-0x000001B5DBBE0000-memory.dmp

Filesize
64KB

Download
memory/2688-208-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-209-0x0000025FFF3D0000-0x0000025FFF3E0000-memory.dmp

Filesize
64KB

Download
memory/2688-217-0x0000025FFF3D0000-0x0000025FFF3E0000-memory.dmp

Filesize
64KB

Download
memory/2688-220-0x0000025FFF3D0000-0x0000025FFF3E0000-memory.dmp

Filesize
64KB

Download
memory/3328-10-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/3328-24-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-1-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-18-0x0000000002640000-0x0000000002648000-memory.dmp

Filesize
32KB

Download
memory/3328-17-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/3328-103-0x000000001BFC0000-0x000000001C0C0000-memory.dmp

Filesize
1024KB

Download
memory/3328-2-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-16-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/3328-15-0x0000000002500000-0x000000000250A000-memory.dmp

Filesize
40KB

Download
memory/3328-95-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-3-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/3328-14-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/3328-13-0x00000000024E0000-0x00000000024EA000-memory.dmp

Filesize
40KB

Download
memory/3328-12-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/3328-4-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3328-11-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3328-0-0x00000000001F0000-0x000000000036E000-memory.dmp

Filesize
1.5MB

Download
memory/3328-114-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-5-0x00000000024B0000-0x00000000024BC000-memory.dmp

Filesize
48KB

Download
memory/3328-73-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-21-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/3328-9-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/3328-43-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-20-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download
memory/3328-6-0x0000000002440000-0x000000000244A000-memory.dmp

Filesize
40KB

Download
memory/3328-8-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/3328-42-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-41-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-25-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3328-7-0x0000000002450000-0x000000000245C000-memory.dmp

Filesize
48KB

Download
memory/3328-88-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/4292-113-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-212-0x0000021478B70000-0x0000021478B80000-memory.dmp

Filesize
64KB

Download
memory/4408-215-0x0000018A19C30000-0x0000018A19C40000-memory.dmp

Filesize
64KB

Download
memory/4408-204-0x0000018A19C30000-0x0000018A19C40000-memory.dmp

Filesize
64KB

Download
memory/4408-203-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-191-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-216-0x00000187EC2A0000-0x00000187EC2B0000-memory.dmp

Filesize
64KB

Download
memory/4468-238-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-192-0x00000187EC2A0000-0x00000187EC2B0000-memory.dmp

Filesize
64KB

Download
memory/4468-198-0x00000187EC2A0000-0x00000187EC2B0000-memory.dmp

Filesize
64KB

Download
memory/4940-221-0x0000024799390000-0x00000247993A0000-memory.dmp

Filesize
64KB

Download
memory/4940-150-0x0000024799390000-0x00000247993A0000-memory.dmp

Filesize
64KB

Download
memory/4940-235-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-130-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-140-0x0000024799390000-0x00000247993A0000-memory.dmp

Filesize
64KB

Download
memory/4972-112-0x000001C6920D0000-0x000001C6920E0000-memory.dmp

Filesize
64KB

Download
memory/4972-109-0x00007FFF690F0000-0x00007FFF69BB1000-memory.dmp

Filesize
10.8MB

Download