dcrat | 1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

338A02FF68C87C2E7D097B380656D773.exe
Size

65.0MB
MD5

338a02ff68c87c2e7d097b380656d773
SHA1

ce40934e8be5b9538b39e29a071df219ea259d21
SHA256

1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
SHA512

32bddf7228af9bfc96e5b5d8e231b56718d409294a923b7cbb11dc94364611b01064ec9a40a680de26dcd66b3ba54d1f234c0a7466b235147d7609b786731521
SSDEEP

393216:9Om3Gy/7I4ro5jnVT5Xjbu8Y1l1zbg8i:om57IYis8m1b

Score

10^/10

dcrat evasion infostealer rat trojan upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	584	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exeMonitorcommon.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\antiriser.bat	dcrat
C:\chainwebwinref\Monitorcommon.exe	dcrat
behavioral1/memory/2196-68-0x0000000000BA0000-0x0000000000EDE000-memory.dmp	dcrat
behavioral1/memory/2684-133-0x0000000001010000-0x000000000134E000-memory.dmp	dcrat
behavioral1/memory/2516-201-0x00000000000E0000-0x000000000041E000-memory.dmp	dcrat
behavioral1/memory/2956-213-0x0000000000F30000-0x000000000126E000-memory.dmp	dcrat
behavioral1/memory/1776-226-0x0000000001360000-0x000000000169E000-memory.dmp	dcrat
behavioral1/memory/2356-261-0x0000000000220000-0x000000000055E000-memory.dmp	dcrat
behavioral1/memory/1008-274-0x0000000000D40000-0x000000000107E000-memory.dmp	dcrat
behavioral1/memory/2632-286-0x0000000000EA0000-0x00000000011DE000-memory.dmp	dcrat
behavioral1/memory/1044-296-0x0000000000380000-0x00000000006BE000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python311.dll	acprotect

Executes dropped EXE 18 IoCs

Processes:

Built.exeBuilt.exediscord pro+.exeantiriser.batMonitorcommon.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	process
3008	Built.exe
2592	Built.exe
1724	discord pro+.exe
2636	antiriser.bat
2196	Monitorcommon.exe
2684	dwm.exe
1968	dwm.exe
2132	dwm.exe
2068	dwm.exe
2516	dwm.exe
2956	dwm.exe
1776	dwm.exe
1788	dwm.exe
816	dwm.exe
2356	dwm.exe
1008	dwm.exe
2632	dwm.exe
1044	dwm.exe

Loads dropped DLL 4 IoCs

Processes:

Built.exeBuilt.execmd.exe

pid process

3008 Built.exe
2592 Built.exe
2836 cmd.exe
2836 cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python311.dll	upx
behavioral1/memory/2592-42-0x00000000742C0000-0x00000000747CB000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exeMonitorcommon.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Monitorcommon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 8 IoCs

Processes:

Monitorcommon.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	Monitorcommon.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe	Monitorcommon.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\27d1bcfc3c54e0	Monitorcommon.exe
File created	C:\Program Files\Google\Chrome\taskhost.exe	Monitorcommon.exe
File created	C:\Program Files\Google\Chrome\b75386f1303e64	Monitorcommon.exe
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	Monitorcommon.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	Monitorcommon.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	Monitorcommon.exe

Drops file in Windows directory 3 IoCs

Processes:

Monitorcommon.exe

description	ioc	process
File created	C:\Windows\diagnostics\scheduled\taskhost.exe	Monitorcommon.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\Monitorcommon.exe	Monitorcommon.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\5e9c6a1818cefd	Monitorcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
1316	schtasks.exe
2420	schtasks.exe
2292	schtasks.exe
3064	schtasks.exe
3016	schtasks.exe
2132	schtasks.exe
2000	schtasks.exe
2204	schtasks.exe
1368	schtasks.exe
2688	schtasks.exe
1564	schtasks.exe
408	schtasks.exe
1536	schtasks.exe
2884	schtasks.exe
1752	schtasks.exe
1740	schtasks.exe
2616	schtasks.exe
2364	schtasks.exe
1356	schtasks.exe
1716	schtasks.exe
2720	schtasks.exe
1992	schtasks.exe
1788	schtasks.exe
2856	schtasks.exe
1584	schtasks.exe
760	schtasks.exe
2820	schtasks.exe
2120	schtasks.exe
2072	schtasks.exe
964	schtasks.exe
1944	schtasks.exe
1620	schtasks.exe
376	schtasks.exe
1984	schtasks.exe
1996	schtasks.exe
2964	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1056 reg.exe

pid	process
1056	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Monitorcommon.exedwm.exedwm.exe

pid	process
2196	Monitorcommon.exe
2196	Monitorcommon.exe
2196	Monitorcommon.exe
2196	Monitorcommon.exe
2196	Monitorcommon.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
2684	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe
1968	dwm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Monitorcommon.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	2196	Monitorcommon.exe
Token: SeDebugPrivilege	2684	dwm.exe
Token: SeDebugPrivilege	1968	dwm.exe
Token: SeDebugPrivilege	2132	dwm.exe
Token: SeDebugPrivilege	2068	dwm.exe
Token: SeDebugPrivilege	2516	dwm.exe
Token: SeDebugPrivilege	2956	dwm.exe
Token: SeDebugPrivilege	1776	dwm.exe
Token: SeDebugPrivilege	1788	dwm.exe
Token: SeDebugPrivilege	816	dwm.exe
Token: SeDebugPrivilege	2356	dwm.exe
Token: SeDebugPrivilege	1008	dwm.exe
Token: SeDebugPrivilege	2632	dwm.exe
Token: SeDebugPrivilege	1044	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

338A02FF68C87C2E7D097B380656D773.exeBuilt.exediscord pro+.exeantiriser.batWScript.execmd.exeMonitorcommon.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exe

description	pid	process	target process
PID 2916 wrote to memory of 3008	2916	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 2916 wrote to memory of 3008	2916	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 2916 wrote to memory of 3008	2916	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 2916 wrote to memory of 3008	2916	338A02FF68C87C2E7D097B380656D773.exe	Built.exe
PID 3008 wrote to memory of 2592	3008	Built.exe	Built.exe
PID 3008 wrote to memory of 2592	3008	Built.exe	Built.exe
PID 3008 wrote to memory of 2592	3008	Built.exe	Built.exe
PID 3008 wrote to memory of 2592	3008	Built.exe	Built.exe
PID 2916 wrote to memory of 1724	2916	338A02FF68C87C2E7D097B380656D773.exe	discord pro+.exe
PID 2916 wrote to memory of 1724	2916	338A02FF68C87C2E7D097B380656D773.exe	discord pro+.exe
PID 2916 wrote to memory of 1724	2916	338A02FF68C87C2E7D097B380656D773.exe	discord pro+.exe
PID 1724 wrote to memory of 2636	1724	discord pro+.exe	antiriser.bat
PID 1724 wrote to memory of 2636	1724	discord pro+.exe	antiriser.bat
PID 1724 wrote to memory of 2636	1724	discord pro+.exe	antiriser.bat
PID 1724 wrote to memory of 2636	1724	discord pro+.exe	antiriser.bat
PID 2636 wrote to memory of 2244	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 2244	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 2244	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 2244	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 1644	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 1644	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 1644	2636	antiriser.bat	WScript.exe
PID 2636 wrote to memory of 1644	2636	antiriser.bat	WScript.exe
PID 2244 wrote to memory of 2836	2244	WScript.exe	cmd.exe
PID 2244 wrote to memory of 2836	2244	WScript.exe	cmd.exe
PID 2244 wrote to memory of 2836	2244	WScript.exe	cmd.exe
PID 2244 wrote to memory of 2836	2244	WScript.exe	cmd.exe
PID 2836 wrote to memory of 2196	2836	cmd.exe	Monitorcommon.exe
PID 2836 wrote to memory of 2196	2836	cmd.exe	Monitorcommon.exe
PID 2836 wrote to memory of 2196	2836	cmd.exe	Monitorcommon.exe
PID 2836 wrote to memory of 2196	2836	cmd.exe	Monitorcommon.exe
PID 2196 wrote to memory of 2684	2196	Monitorcommon.exe	dwm.exe
PID 2196 wrote to memory of 2684	2196	Monitorcommon.exe	dwm.exe
PID 2196 wrote to memory of 2684	2196	Monitorcommon.exe	dwm.exe
PID 2836 wrote to memory of 1056	2836	cmd.exe	reg.exe
PID 2836 wrote to memory of 1056	2836	cmd.exe	reg.exe
PID 2836 wrote to memory of 1056	2836	cmd.exe	reg.exe
PID 2836 wrote to memory of 1056	2836	cmd.exe	reg.exe
PID 2684 wrote to memory of 2636	2684	dwm.exe	WScript.exe
PID 2684 wrote to memory of 2636	2684	dwm.exe	WScript.exe
PID 2684 wrote to memory of 2636	2684	dwm.exe	WScript.exe
PID 2684 wrote to memory of 280	2684	dwm.exe	WScript.exe
PID 2684 wrote to memory of 280	2684	dwm.exe	WScript.exe
PID 2684 wrote to memory of 280	2684	dwm.exe	WScript.exe
PID 2636 wrote to memory of 1968	2636	WScript.exe	dwm.exe
PID 2636 wrote to memory of 1968	2636	WScript.exe	dwm.exe
PID 2636 wrote to memory of 1968	2636	WScript.exe	dwm.exe
PID 1968 wrote to memory of 2452	1968	dwm.exe	WScript.exe
PID 1968 wrote to memory of 2452	1968	dwm.exe	WScript.exe
PID 1968 wrote to memory of 2452	1968	dwm.exe	WScript.exe
PID 1968 wrote to memory of 1516	1968	dwm.exe	WScript.exe
PID 1968 wrote to memory of 1516	1968	dwm.exe	WScript.exe
PID 1968 wrote to memory of 1516	1968	dwm.exe	WScript.exe
PID 2452 wrote to memory of 2132	2452	WScript.exe	dwm.exe
PID 2452 wrote to memory of 2132	2452	WScript.exe	dwm.exe
PID 2452 wrote to memory of 2132	2452	WScript.exe	dwm.exe
PID 2132 wrote to memory of 2056	2132	dwm.exe	WScript.exe
PID 2132 wrote to memory of 2056	2132	dwm.exe	WScript.exe
PID 2132 wrote to memory of 2056	2132	dwm.exe	WScript.exe
PID 2132 wrote to memory of 1700	2132	dwm.exe	WScript.exe
PID 2132 wrote to memory of 1700	2132	dwm.exe	WScript.exe
PID 2132 wrote to memory of 1700	2132	dwm.exe	WScript.exe
PID 2056 wrote to memory of 2068	2056	WScript.exe	dwm.exe
PID 2056 wrote to memory of 2068	2056	WScript.exe	dwm.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exeMonitorcommon.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Monitorcommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\338A02FF68C87C2E7D097B380656D773.exe
"C:\Users\Admin\AppData\Local\Temp\338A02FF68C87C2E7D097B380656D773.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\discord pro+.exe
  "C:\Users\Admin\AppData\Local\Temp\discord pro+.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\antiriser.bat
    "C:\Users\Admin\AppData\Local\Temp\antiriser.bat"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainwebwinref\iIb9loxeJUzN.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\chainwebwinref\PkXKubhHOUD.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\chainwebwinref\Monitorcommon.exe
        
        "C:\chainwebwinref\Monitorcommon.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2196
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        "C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a007115a-28fc-44aa-815c-1438b0c1cc1f.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d7e7b48-105e-41e8-b4bc-33d4447b714e.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96723f4e-dd0e-4cc3-b712-221c7a89f5c1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\177ba11c-4859-483b-bab8-fc6af48b6328.vbs"
        14⤵
        
        PID:2924
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66bda283-b03a-4c70-bdd1-d131f309a1bd.vbs"
        16⤵
        
        PID:2852
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88f5c2b3-37b2-4082-911d-8f50ca45c9cb.vbs"
        18⤵
        
        PID:2636
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85b79afd-9567-480b-959b-e0bd08329c9f.vbs"
        20⤵
        
        PID:2132
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd7ee534-98e4-4b4a-85ad-a8ca6be77c71.vbs"
        22⤵
        
        PID:1724
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf366b1a-5be4-40e5-af4b-5d3710da9919.vbs"
        24⤵
        
        PID:1064
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f0e4426-4f12-435c-b689-b5085b95fe06.vbs"
        26⤵
        
        PID:2420
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd2108f8-bb96-4479-9db7-5c336eed4ced.vbs"
        28⤵
        
        PID:3028
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a3e03ec-0207-44ae-b469-10d553bb9d21.vbs"
        30⤵
        
        PID:2804
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe
        31⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3de0d759-aed9-44eb-a3cd-5e55b3deb9c1.vbs"
        32⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bf2a694-e19b-4005-b92e-491184c52951.vbs"
        32⤵
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86cbc3e7-0dbe-4683-89e7-9994e7e72a1e.vbs"
        30⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7eb37c-659c-45b5-9fff-be13c7386c28.vbs"
        28⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449b3554-70fb-41c6-9c7f-bcd1d099956c.vbs"
        26⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9196c92-f288-433e-ac75-60f90845e7a4.vbs"
        24⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecaa68f7-08a0-4268-9f49-5d250e37ab55.vbs"
        22⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f0fb7ac-28f7-4019-961a-8df715b1adc7.vbs"
        20⤵
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff81188d-808a-416b-a0f5-0ad6228f7a9f.vbs"
        18⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2a14b57-67d3-49b9-8c99-0c338bc2c0e4.vbs"
        16⤵
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2247558-7c7c-4c98-b811-f1b6aaf27274.vbs"
        14⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f43019e-0ce0-458a-8e56-06d96f7085b8.vbs"
        12⤵
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681cbc5f-bc26-403a-b682-7cd1e3cad207.vbs"
        10⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51639d4f-e250-4c3c-8440-4b9ae382981b.vbs"
        8⤵
        
        PID:280
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:1056
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainwebwinref\file.vbs"
      4⤵
      PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MonitorcommonM" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Landscapes\Monitorcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Monitorcommon" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\Monitorcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MonitorcommonM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Landscapes\Monitorcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BuiltB" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Built.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Built" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Built.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BuiltB" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Built.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a3e03ec-0207-44ae-b469-10d553bb9d21.vbs

Filesize
732B

MD5
3c5db50786a7e361d06c65a83b0329b6

SHA1
337c0541dc8b4d30a8cd553ccac906036250c892

SHA256
ebd284db1b2e999aed1b905cdac0f76645dcd0a6cd072d32d1efcc81f0d8c13d

SHA512
9b4a1151c3c11b48380f94479ed8c19966c8f090e4854dd6e1a749544f7599297c5a945069e34047b316d4f69eb559655a7f2a46b2d7eb2ab1bb623cfe5ec2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\177ba11c-4859-483b-bab8-fc6af48b6328.vbs

Filesize
732B

MD5
1aba1ba2b7ef41836d3e9fe1c5d74336

SHA1
d9f7e1732344655e37c95f426010733fd9c50120

SHA256
b57d5feeb8a313f3e32cc6988ffdbcbf31f9b51c90438baf6abd392f02b81c93

SHA512
5e45d0edf7f2f58f1406edced086374acede048868259a187208a794cee7b92e986d59d149496f4a4e0e10d1706ba209066fcfcfa6ab69b4646bd558819fae21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f0e4426-4f12-435c-b689-b5085b95fe06.vbs

Filesize
732B

MD5
6490712fbe082a12e3480e2a1c3242ab

SHA1
46687d7a3b26e9c60156b524d4a2e1aafb56d0fe

SHA256
c87e277e34b348ca3ea34a981ed0c8b26352bc64543af8225b51733fee940710

SHA512
e6f77eb6273e37b69fe9f0a7e1d60fe55cf4b3dff1dee0acaf05e8e447a20fe7c6b87b9a2cda65ed2b45602dc6f5689a30cd223dae919afc464d69a0b4a4a212

Download Submit
C:\Users\Admin\AppData\Local\Temp\51639d4f-e250-4c3c-8440-4b9ae382981b.vbs

Filesize
508B

MD5
02f519e3117520301964d28129561526

SHA1
c2eb6a7977e3c3da4f1a261d9907bc2964447d4a

SHA256
7d5c5e5b4ab816c8e845d4b471bd9f4083b2a77e065ef673dc2b5befb0254289

SHA512
ddf79346d30a3c0e1b6c167e72b70c3dadb0ad247e21edcc18fce039da3357af681f860489622fe4b9ebb3487d70866856a26cf10fd4a9af293cccb72df5523b

Download Submit
C:\Users\Admin\AppData\Local\Temp\66bda283-b03a-4c70-bdd1-d131f309a1bd.vbs

Filesize
732B

MD5
a8b3ec68d06bf7fbc3e5c6a85b79bffb

SHA1
c3e06632f24bdd894052b330f3ca105e6dece386

SHA256
b09710c36fb0ad5dd898f131745687026e16255c66772bc69ead103911133889

SHA512
4443e37d6bf4fc7f6f151549fa8081c6ea1cbc4062157645918d33b3491aff637874316280eb2e01d8200019d8185bc600f8f339455d3d7d808924e3d20071c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\85b79afd-9567-480b-959b-e0bd08329c9f.vbs

Filesize
732B

MD5
0e2b5a5dbf0f31c03e8770fd23162541

SHA1
3a73402a5f90dff8e6fabd0b3510a535aa40c4e5

SHA256
5361aef945830d3cf355d48b130b0aeba3b238baf1f0a180fe9d434a59547fae

SHA512
d5e9adb2a63d8a126eb778db6de9bf4d545fc49e6bdb32602da4ccbd3b5b25538055541d5019db08332dffd1c2468d51579aa583ca65c6176317a802e57cdcd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\88f5c2b3-37b2-4082-911d-8f50ca45c9cb.vbs

Filesize
732B

MD5
087e28ef6a3535f877a41c2b51eb1e7d

SHA1
8f9fb69f6faaadb88d62364a310695464a1479d0

SHA256
988623de3b5a4cc911e7a1f414e0010c73b6a4a357e7310e4fc16c366a250b1d

SHA512
a78aa2c258a819d64d1fa9f8e3f09716d8363f24d37fc0b3cfc239a3d8b895ba3881653de3ffcdd99c3c44fba1ee1d148bae3130add26a058aa9e0b0c7074bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\96723f4e-dd0e-4cc3-b712-221c7a89f5c1.vbs

Filesize
732B

MD5
e335c1a01d62e25cd3d6215aa0a84a51

SHA1
cdb993e821ceed9d37d3577ba900edbe6a9d1b57

SHA256
9676b5cbffa442b5b0bbe67ae76653d567a62874315189f54142293df0a45dfe

SHA512
8a6a3af7a70eaa49ee6f159272a698c8344f6b786975efc4604ac5ee4a5f33069324f13ce7a3e476edc4d86cd909435184ad0dd59990b775064e8d6bf8bf6ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d7e7b48-105e-41e8-b4bc-33d4447b714e.vbs

Filesize
732B

MD5
6346c43db68a187cb565a10d51aa30a9

SHA1
490c65499f374a581e38b4a86d2508aa1da90f32

SHA256
9fa440925ee8bacb9806c4b02bb3e93e1973786b7d19b7d8884312e83099420b

SHA512
a251e08b913b0479a4ff4b09b96542ef7dc9bd4d687995e3edaf0f1573a6f67c81692c689c7e31d3b706b30d6297c5bd9d3876531a3df65726c2f27d5565b4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.0MB

MD5
0d64f132d10db65864d0bd5546e7dc36

SHA1
6f4f2b50acf4c125710e6b5ba2b6e9cda8072701

SHA256
891875f75fa00b00d91bb9490075ec1b462b92cb95a3d97e74de3ab28fd0e17b

SHA512
d135f27aaefa17d7cff10245d92019d8bca2ad38246acfe24f33df873b9064ec2e5929941b680491a9a34980b0797c082f94aa84ca5f8d3077fd0bbf0ebfdee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python311.dll

Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a007115a-28fc-44aa-815c-1438b0c1cc1f.vbs

Filesize
732B

MD5
d7b585706db5b6d33c0a7a8799c3e9bc

SHA1
d0c576b49b93aced23613a05d267eda6128c9d12

SHA256
34a75fa17fc8dd11577302012a9fd0bcb1579ec0083a9c20ddb7ca40f6e5c617

SHA512
f8b663462719350dca456c5a498eb5eed82880451986e6a757b47e11368a9e67f3d32c68e20af83d2ebe2a0728af4a111deecbf0af9de353e11eb5c14b5bab98

Download Submit
C:\Users\Admin\AppData\Local\Temp\antiriser.bat

Filesize
3.5MB

MD5
d0e8048fe2f4e5dfc74f0e28cf367b68

SHA1
9e9cee85fc51346d10228dfe8b68f250ac839963

SHA256
06e0057c52d77e3027ce56b6d4f6130935b08655a512949819bdeef3a4c5d96e

SHA512
019db1439c6158d906d18f12014a28de503c8f7f2b371cb0a7171067252326e1fb675300ad87748de1a986ba8c93fa4e96ffb7181080caeadb84fe223cd3e2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf366b1a-5be4-40e5-af4b-5d3710da9919.vbs

Filesize
731B

MD5
e69cbbc19a040f133ac0d2ef64df7eb6

SHA1
f5da27a76bfbabea8213946cfa140d823858b6d0

SHA256
0a200b2267c20d8fed8d65a659e8496b6012a3ae5ed65f424bbd76431b2d9ab1

SHA512
cea0dd633f4a03d690108ad764641bd78312ac40e58d21e5b245bd9112f8214f65a2db61877dc5908e73ab56b663932a7d17ac548d745f670930ab48a3568650

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd7ee534-98e4-4b4a-85ad-a8ca6be77c71.vbs

Filesize
732B

MD5
e8462051009d81ab65728481bc27efc3

SHA1
7876de510ecfb864eb6e1e2f7e0fbe21625f755f

SHA256
ef21f0ed1e31fb328502d01b3b28562e1bc72246bc91a678a0c543aee8bc4410

SHA512
27dabc5cae6761c5f790300b7807ee3d1559c87eeb5fa4ca07c0e61371ac6d22b125285362605556f9111fff7e88f4b142c4443df59e01a7bca2c950cc96a11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\discord pro+.exe

Filesize
3.0MB

MD5
7b4a8b361521883610975e8b43d95681

SHA1
00b0d75195a4bcf90275067967d6e63e10136ed6

SHA256
daeb1abee4ad4fb684882ab23860fa889fd148f6261515cc8abcee43c452e80e

SHA512
4041126395453662a0a0faaedd94e7c3158452308b46e1832755158b857c7613b61a34197addcfc2742fbd830c0727968ff873c081d1df58ebb540ca1bd38505

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd2108f8-bb96-4479-9db7-5c336eed4ced.vbs

Filesize
732B

MD5
27e5757423b8fdc9c0b7f551a109e70f

SHA1
0a6e968bb4976f8bbdabb48e19c079a81f157f59

SHA256
0ed0acf4f603d9cfca0fdf95d279158b6487a29fad79c2d20f5a688fa6512e76

SHA512
4475422b3a67560be025f6253cdecaf4cafb78655a94dea297995606b022bdd9dbbc4bea2b3e49d87e4b349978c6ed57f8def5b50850dfa10321c485e289cbce

Download Submit
C:\chainwebwinref\Monitorcommon.exe

Filesize
3.2MB

MD5
3afaa0c4c04a427730ce934ae0f4c564

SHA1
9b807ef589afc6f351747f538a3699480321dfcd

SHA256
71e9ccdeb11d71e77c33dd918395e46c2beae52ad38ffebb43a3d3d9fb1b0b86

SHA512
1acb409a096e0bb2a68c555459f2cf746507cccc4f06d593d9e8d8859678cd94a27a10f4e44fac16a8df0b5e01cb5be56fb588fc584b0832a93138adaa95f2de

Download Submit
C:\chainwebwinref\PkXKubhHOUD.bat

Filesize
149B

MD5
415ef0b3254212b48ed3737c0ae31765

SHA1
5371c866e12057c8bfa192b8821270e2a1845ea0

SHA256
77c0162c35af4c75b88c3a3f1354ceeba1a876bceee1eaf9fdfd5a70c92f3e71

SHA512
677541de752a22a1fdc566bf095f4c0e5b9bb54b5bbd25bcf77279f37350cb1204aa5daa9f5dd35c2fdd77cade4c2a3a7d00dafd44732dfff30cd9d90c11cfe7

Download Submit
C:\chainwebwinref\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\chainwebwinref\iIb9loxeJUzN.vbe

Filesize
202B

MD5
cc50d3040c60a2d321d63ce366fec7af

SHA1
511691c44989cb14e82f7d1cbecb1cd0c1390068

SHA256
dc27aaa80d2e5fa4355706d59178a265f704186c0beb1a06af3010453f976790

SHA512
d5f7d4615d81262aa4ddba2cb98d083bd67d503aea2a380e9e6969f856fe26c43270788903954b3a3bf50559c24a4b255cd121780fb6b4afa1c1060da9020aca

Download Submit
memory/1008-274-0x0000000000D40000-0x000000000107E000-memory.dmp

Filesize
3.2MB

Download
memory/1044-298-0x0000000002270000-0x00000000022C6000-memory.dmp

Filesize
344KB

Download
memory/1044-297-0x0000000000960000-0x0000000000972000-memory.dmp

Filesize
72KB

Download
memory/1044-296-0x0000000000380000-0x00000000006BE000-memory.dmp

Filesize
3.2MB

Download
memory/1724-38-0x0000000000E00000-0x0000000001106000-memory.dmp

Filesize
3.0MB

Download
memory/1724-41-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-48-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1776-226-0x0000000001360000-0x000000000169E000-memory.dmp

Filesize
3.2MB

Download
memory/1788-238-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/1968-165-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2068-189-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/2068-188-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2196-72-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2196-81-0x00000000025B0000-0x0000000002606000-memory.dmp

Filesize
344KB

Download
memory/2196-87-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/2196-88-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

Filesize
48KB

Download
memory/2196-89-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

Filesize
32KB

Download
memory/2196-90-0x000000001AFE0000-0x000000001AFEC000-memory.dmp

Filesize
48KB

Download
memory/2196-91-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

Filesize
48KB

Download
memory/2196-92-0x000000001B000000-0x000000001B008000-memory.dmp

Filesize
32KB

Download
memory/2196-93-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/2196-94-0x000000001B060000-0x000000001B06A000-memory.dmp

Filesize
40KB

Download
memory/2196-95-0x000000001B070000-0x000000001B07E000-memory.dmp

Filesize
56KB

Download
memory/2196-96-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/2196-97-0x000000001B090000-0x000000001B09E000-memory.dmp

Filesize
56KB

Download
memory/2196-98-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/2196-99-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/2196-100-0x000000001B0C0000-0x000000001B0CA000-memory.dmp

Filesize
40KB

Download
memory/2196-101-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/2196-68-0x0000000000BA0000-0x0000000000EDE000-memory.dmp

Filesize
3.2MB

Download
memory/2196-69-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2196-85-0x000000001AA30000-0x000000001AA38000-memory.dmp

Filesize
32KB

Download
memory/2196-84-0x000000001AA20000-0x000000001AA2C000-memory.dmp

Filesize
48KB

Download
memory/2196-83-0x000000001AA10000-0x000000001AA18000-memory.dmp

Filesize
32KB

Download
memory/2196-82-0x000000001AA00000-0x000000001AA0C000-memory.dmp

Filesize
48KB

Download
memory/2196-86-0x000000001ABB0000-0x000000001ABC2000-memory.dmp

Filesize
72KB

Download
memory/2196-80-0x00000000025A0000-0x00000000025AA000-memory.dmp

Filesize
40KB

Download
memory/2196-79-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/2196-78-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2196-70-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2196-77-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2196-71-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2196-73-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2196-76-0x00000000023F0000-0x0000000002402000-memory.dmp

Filesize
72KB

Download
memory/2196-75-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2196-74-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/2356-261-0x0000000000220000-0x000000000055E000-memory.dmp

Filesize
3.2MB

Download
memory/2356-262-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2516-201-0x00000000000E0000-0x000000000041E000-memory.dmp

Filesize
3.2MB

Download
memory/2592-42-0x00000000742C0000-0x00000000747CB000-memory.dmp

Filesize
5.0MB

Download
memory/2632-286-0x0000000000EA0000-0x00000000011DE000-memory.dmp

Filesize
3.2MB

Download
memory/2684-134-0x0000000000FB0000-0x0000000001006000-memory.dmp

Filesize
344KB

Download
memory/2684-133-0x0000000001010000-0x000000000134E000-memory.dmp

Filesize
3.2MB

Download
memory/2916-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2916-40-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-9-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-1-0x0000000000F50000-0x000000000183A000-memory.dmp

Filesize
8.9MB

Download
memory/2956-213-0x0000000000F30000-0x000000000126E000-memory.dmp

Filesize
3.2MB

Download
memory/2956-214-0x0000000000C90000-0x0000000000CE6000-memory.dmp

Filesize
344KB

Download