dcrat | 85661d2d721f961564cb6de32c3f08b8108302e2d709f51aa8c03d6bbf114cc0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Size

4.9MB
MD5

e249c23fdd59a6f4cdbcd4cc7ded4300
SHA1

649b368b943bb8b93d90b21cd7ae9e59cd07c12e
SHA256

85661d2d721f961564cb6de32c3f08b8108302e2d709f51aa8c03d6bbf114cc0
SHA512

9c4d705dbca7224baa7a2e7f5918c7c14250ad78f216ebb96652845ac7c3fa6f21cee119276b5dbf77b4ac05ba78fc47386601985bf9c85096b9c83e9fb1855f
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2704	schtasks.exe

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e249c23fdd59a6f4cdbcd4cc7ded4300N.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2248-2-0x000000001B690000-0x000000001B7BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2932	powershell.exe
3052	powershell.exe
2392	powershell.exe
1992	powershell.exe
1348	powershell.exe
2624	powershell.exe
376	powershell.exe
1500	powershell.exe
2284	powershell.exe
2104	powershell.exe
1804	powershell.exe
2540	powershell.exe

Executes dropped EXE 6 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid process

840 lsass.exe
936 lsass.exe
2896 lsass.exe
908 lsass.exe
2408 lsass.exe
1924 lsass.exe

pid	process
840	lsass.exe
936	lsass.exe
2896	lsass.exe
908	lsass.exe
2408	lsass.exe
1924	lsass.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exelsass.exelsass.exee249c23fdd59a6f4cdbcd4cc7ded4300N.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 16 IoCs

Processes:

e249c23fdd59a6f4cdbcd4cc7ded4300N.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCXF0F9.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\27d1bcfc3c54e0	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXEE88.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\cc11b995f2a76d	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXF56D.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXE37.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe

Drops file in Windows directory 13 IoCs

Processes:

e249c23fdd59a6f4cdbcd4cc7ded4300N.exe

description	ioc	process
File opened for modification	C:\Windows\security\templates\dllhost.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\security\templates\dllhost.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\security\templates\5940a34987c991	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\Registration\CRMLog\Idle.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Windows\Registration\CRMLog\Idle.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\Boot\EFI\lsass.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Windows\Tasks\RCXEC16.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Windows\Tasks\taskhost.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Windows\security\templates\RCXFB88.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX220.tmp	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\Tasks\taskhost.exe	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\Tasks\b75386f1303e64	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
File created	C:\Windows\Registration\CRMLog\6ccacd8608530f	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2784	schtasks.exe
2712	schtasks.exe
2856	schtasks.exe
2900	schtasks.exe
2780	schtasks.exe
1160	schtasks.exe
3032	schtasks.exe
2268	schtasks.exe
1940	schtasks.exe
1736	schtasks.exe
2000	schtasks.exe
1924	schtasks.exe
1972	schtasks.exe
1592	schtasks.exe
2740	schtasks.exe
1264	schtasks.exe
688	schtasks.exe
1128	schtasks.exe
2040	schtasks.exe
2952	schtasks.exe
2096	schtasks.exe
2620	schtasks.exe
2612	schtasks.exe
536	schtasks.exe
1628	schtasks.exe
2116	schtasks.exe
1952	schtasks.exe
2736	schtasks.exe
2080	schtasks.exe
2864	schtasks.exe
2808	schtasks.exe
1392	schtasks.exe
3000	schtasks.exe
652	schtasks.exe
1472	schtasks.exe
2672	schtasks.exe
2104	schtasks.exe
236	schtasks.exe
1300	schtasks.exe
3024	schtasks.exe
2436	schtasks.exe
1948	schtasks.exe
1604	schtasks.exe
2572	schtasks.exe
1404	schtasks.exe
1856	schtasks.exe
1004	schtasks.exe
2140	schtasks.exe
2180	schtasks.exe
1748	schtasks.exe
1120	schtasks.exe
1676	schtasks.exe
1524	schtasks.exe
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

e249c23fdd59a6f4cdbcd4cc7ded4300N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
2104	powershell.exe
3052	powershell.exe
1804	powershell.exe
1992	powershell.exe
2284	powershell.exe
2932	powershell.exe
376	powershell.exe
2540	powershell.exe
2624	powershell.exe
1500	powershell.exe
1348	powershell.exe
2392	powershell.exe
840	lsass.exe
936	lsass.exe
2896	lsass.exe
908	lsass.exe
2408	lsass.exe
1924	lsass.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	840	lsass.exe
Token: SeDebugPrivilege	936	lsass.exe
Token: SeDebugPrivilege	2896	lsass.exe
Token: SeDebugPrivilege	908	lsass.exe
Token: SeDebugPrivilege	2408	lsass.exe
Token: SeDebugPrivilege	1924	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e249c23fdd59a6f4cdbcd4cc7ded4300N.execmd.exelsass.exeWScript.exelsass.exeWScript.exelsass.exe

description	pid	process	target process
PID 2248 wrote to memory of 3052	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 3052	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 3052	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2392	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2392	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2392	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2540	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2540	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2540	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2932	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2932	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2932	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1500	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1500	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1500	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 376	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 376	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 376	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2624	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2624	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2624	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1348	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1348	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1348	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1804	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1804	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1804	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2104	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2104	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2104	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2284	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2284	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2284	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1992	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1992	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 1992	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	powershell.exe
PID 2248 wrote to memory of 2824	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	cmd.exe
PID 2248 wrote to memory of 2824	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	cmd.exe
PID 2248 wrote to memory of 2824	2248	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe	cmd.exe
PID 2824 wrote to memory of 1756	2824	cmd.exe	w32tm.exe
PID 2824 wrote to memory of 1756	2824	cmd.exe	w32tm.exe
PID 2824 wrote to memory of 1756	2824	cmd.exe	w32tm.exe
PID 2824 wrote to memory of 840	2824	cmd.exe	lsass.exe
PID 2824 wrote to memory of 840	2824	cmd.exe	lsass.exe
PID 2824 wrote to memory of 840	2824	cmd.exe	lsass.exe
PID 840 wrote to memory of 1464	840	lsass.exe	WScript.exe
PID 840 wrote to memory of 1464	840	lsass.exe	WScript.exe
PID 840 wrote to memory of 1464	840	lsass.exe	WScript.exe
PID 840 wrote to memory of 2796	840	lsass.exe	WScript.exe
PID 840 wrote to memory of 2796	840	lsass.exe	WScript.exe
PID 840 wrote to memory of 2796	840	lsass.exe	WScript.exe
PID 1464 wrote to memory of 936	1464	WScript.exe	lsass.exe
PID 1464 wrote to memory of 936	1464	WScript.exe	lsass.exe
PID 1464 wrote to memory of 936	1464	WScript.exe	lsass.exe
PID 936 wrote to memory of 1596	936	lsass.exe	WScript.exe
PID 936 wrote to memory of 1596	936	lsass.exe	WScript.exe
PID 936 wrote to memory of 1596	936	lsass.exe	WScript.exe
PID 936 wrote to memory of 1720	936	lsass.exe	WScript.exe
PID 936 wrote to memory of 1720	936	lsass.exe	WScript.exe
PID 936 wrote to memory of 1720	936	lsass.exe	WScript.exe
PID 1596 wrote to memory of 2896	1596	WScript.exe	lsass.exe
PID 1596 wrote to memory of 2896	1596	WScript.exe	lsass.exe
PID 1596 wrote to memory of 2896	1596	WScript.exe	lsass.exe
PID 2896 wrote to memory of 2972	2896	lsass.exe	WScript.exe

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exee249c23fdd59a6f4cdbcd4cc7ded4300N.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e249c23fdd59a6f4cdbcd4cc7ded4300N.exe
"C:\Users\Admin\AppData\Local\Temp\e249c23fdd59a6f4cdbcd4cc7ded4300N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gGqhQ3tY5M.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1756

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a30cccae-c2cd-4033-8a6c-3a5face65d80.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aa42661-405d-4380-ab5f-3c1bcfd4f595.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1354bc0-0c0f-471d-ab9a-4bd8eaa48343.vbs"
8⤵
PID:2972

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4808c987-a9cc-4b2a-84ad-cd8a31787947.vbs"
10⤵
PID:2096

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d6b3c08-47af-4037-9acd-a8a32c686a24.vbs"
12⤵
PID:2240

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1924

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c911b0c5-7817-483b-aaf7-e5ad2b5e7fd3.vbs"
14⤵
PID:2092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ad7a23e-ad40-4cd2-b639-cfa474ad09b4.vbs"
14⤵
PID:2196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d736299d-b361-48e4-96bc-294a7c267769.vbs"
12⤵
PID:920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb8dc92-5d7c-4781-b876-1d324c4b60f9.vbs"
10⤵
PID:2652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4bbf92a-6032-4ddc-9649-ef4d1a22735f.vbs"
8⤵
PID:2864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a714a791-ce16-4cb4-a193-c4889c2f3bd4.vbs"
6⤵
PID:1720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27093029-de94-41e1-a7c1-88fe8845bf31.vbs"
4⤵
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\security\templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e249c23fdd59a6f4cdbcd4cc7ded4300Ne" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\e249c23fdd59a6f4cdbcd4cc7ded4300N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e249c23fdd59a6f4cdbcd4cc7ded4300N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\e249c23fdd59a6f4cdbcd4cc7ded4300N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e249c23fdd59a6f4cdbcd4cc7ded4300Ne" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\e249c23fdd59a6f4cdbcd4cc7ded4300N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXF56D.tmp

Filesize
4.9MB

MD5
64ceca2498e11203cd4d62c34078a254

SHA1
abdc713154851d825e007fd8d84f5543523bced3

SHA256
d57ff731360f0ed4ddbd0be868f6a4011a938bc184b02631b74be6989f3d8dfa

SHA512
4617c7e03c3f4b62eb48b620caa0a56abfe5327d7ee204b8bc4dc46c65c95f8f202feaefa1f6571866983b7a2302bb629699a8e3cee2873348a9bdd936af2a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\27093029-de94-41e1-a7c1-88fe8845bf31.vbs

Filesize
510B

MD5
1945aeee345cdb29d1308d8d28264f4c

SHA1
a893e199ddab68467414dea54e4291cad864d5f9

SHA256
614ab613d0f6d47957eb90bf70a18b5fde7872a5b6c5897f55f0affe45b2b5ca

SHA512
7a63c181beb19af8dfcba4fe9f04ff623427ba9c7ae35927f23aa0b1a8273e6b1fa96e3b660e17c5dd82e6d74375e15fb9ead97885be6548a4c223070340d3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aa42661-405d-4380-ab5f-3c1bcfd4f595.vbs

Filesize
733B

MD5
c399a4b512958af3c719d4d20fb3ea28

SHA1
8b1d233bbdcd604bb775f27f85c2ffba97857c85

SHA256
a7eb98960e525949ed23156cebb288dcb5098e6f14e43b57eadef79d9dea5fd0

SHA512
e13a414cd8830e2a80f1eca5dac95bb3a3e5f187207fc7b2dd5cb56b9e1f4769d0855d6a4e3ac547f0e8820fe0c58caa513ccd8d82b9f23d731501b0a142aab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4808c987-a9cc-4b2a-84ad-cd8a31787947.vbs

Filesize
733B

MD5
85e0823c1234086e3bfbcad91339b66e

SHA1
8c8de3c4bf59300d6bd038cd3a11bad9c0495648

SHA256
5a82fb4c3ceb90ae098cf16bb94f6dca8a7ca39280b9a459fee8fc4bec806935

SHA512
5814d93414df125f4645e8571ed25a39211133e33ff19659d5361f7d20246917d1e417595a7d43934f55b1d5ad72a7e5f4021174b96ac098f8e8fd5c0d4de220

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d6b3c08-47af-4037-9acd-a8a32c686a24.vbs

Filesize
734B

MD5
424f009815cbedfcf6811b6fedf2379f

SHA1
1f4fbd01d164a0dbff21822afcfa0d9af8b986cb

SHA256
cf9210ffb0b7fde498b7479afc227ef0ff812e60d4d550b41731fa770eefad15

SHA512
1876c012397201621842334c3eaf95371121151fa466d1a3f75eca7afd34409c2ba17cb69949f3097e332fb0d20deb424676e7287f2add8312adf674a2c3ae29

Download Submit
C:\Users\Admin\AppData\Local\Temp\a30cccae-c2cd-4033-8a6c-3a5face65d80.vbs

Filesize
733B

MD5
38d5b778cd3c16731b9bdecb3a19f6d1

SHA1
bbfd7e82e5d1ce068f43de79b98a3d19983ed3c3

SHA256
bd1d1fb760a9784d2c2148228a7e05d42b939d3472482d2ab3aa16d5fe980844

SHA512
9fb70cc5b5dfc3faa0d754bd5ba3d8165fcb130396da75686d0fccf9b09bbd1dbd21d13a8ff4b579102476e63f414451438d9101c24a7e980dcce6a47614e4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c911b0c5-7817-483b-aaf7-e5ad2b5e7fd3.vbs

Filesize
734B

MD5
cd73af7fd0fc2b665d1ff9d67c616905

SHA1
c1e8f9e066dcd59b8ebed1eca8e2c9f3d00cd0a1

SHA256
98d6bd18fa896d91a5fb90b843ba3365fd2772bc66faa8d980ded17bcc03ac37

SHA512
78e8c1bbba7118e6531f60c83a9d534fc8ed2aaf30891e032e043a696a96735d8a9a5528e6af7b3e72a3fef22a3b262bbe400102ef42fa114ca59999d4d7a927

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1354bc0-0c0f-471d-ab9a-4bd8eaa48343.vbs

Filesize
734B

MD5
1111cc54f54df8b03ba7c1be6bc8c4ee

SHA1
05521fcbddb87647c036974e0c3dfc026e55d0eb

SHA256
b3e2e32f9600816cdce40c7643340b9a0078238661b5c0f853f8010b39d2875c

SHA512
5fbe12c3a8850a2855e50d382e6e15ef77476fc1f83130c1244116dd81005e02147f6d9888af66aab1ff4aa840d7ebc3348874b4a2b901166e042ec9ca46771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGqhQ3tY5M.bat

Filesize
223B

MD5
be9ccfcbb39f00b0b4ef19e2aa5687f9

SHA1
c1fd6e9e2dec10f47aa2530ac142096bdb42de8f

SHA256
917026d16550f512c5e88316fd550052750a481f590d33d9f87c7c17cc3db868

SHA512
03fa994682fa85dcef4f760bebe2eeacde30953359284498c70c41abc5e9f6bc3b90c578df62588467172f9e4afb58dc2b27c4e26832776241c9aa756d470eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c42ad9486953cd297483fb2a891d541

SHA1
bca37e0be2836d684a8a799c54c4fb974bd01bbf

SHA256
10535aef9be9d2863b40838bcfb8df805043dd95a0dfddd8a21c28a06b7f2d98

SHA512
2c8e3de7714109bea8d54158dbad5b7f6bf10490aa3b55baca770b5a0dd8413d271f504f86c4074abea5c52b1de662add2b71f1dc28917bf7bd13493baed4523

Download Submit
C:\Users\Admin\Searches\RCXFD9C.tmp

Filesize
4.9MB

MD5
445c6ea485397c1f1f6f3f81654e6d12

SHA1
7fda330ff8eade12929cc4853e082d7e5db7d7dc

SHA256
280d24b4b421dbf9582c8a158e7e0766cc8ff3ba67c4b7f761ed1532af515b94

SHA512
7ac918d5a85f15037b889c83d2dea02551c9c652923e5e2b01df47140e5e0f01030558adde89b6253b8bc9ad909a761ff003845330aabeab673cd99c1c316542

Download Submit
C:\Users\Default\WMIADAP.exe

Filesize
4.9MB

MD5
e249c23fdd59a6f4cdbcd4cc7ded4300

SHA1
649b368b943bb8b93d90b21cd7ae9e59cd07c12e

SHA256
85661d2d721f961564cb6de32c3f08b8108302e2d709f51aa8c03d6bbf114cc0

SHA512
9c4d705dbca7224baa7a2e7f5918c7c14250ad78f216ebb96652845ac7c3fa6f21cee119276b5dbf77b4ac05ba78fc47386601985bf9c85096b9c83e9fb1855f

Download Submit
C:\Windows\security\templates\RCXFB88.tmp

Filesize
4.9MB

MD5
3dd754e7ee2ea7c7a840b14006162ff7

SHA1
cfa5c47afcbc59465ede213eca4d1678caf3ecd6

SHA256
c631088bb174e118d73853325d1d3193da11c0b34f42b9dd7108165ccc5aff92

SHA512
40d429efc18c41e85d2caf94d02fc743500658085635dfa49cae6325667374de0a0877e092f5a11879442f227a9c372695a9bff16d2c5e87c3ff0e9c3f02ac22

Download Submit
memory/840-253-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/840-252-0x0000000000DE0000-0x00000000012D4000-memory.dmp

Filesize
5.0MB

Download
memory/908-297-0x0000000000BA0000-0x0000000001094000-memory.dmp

Filesize
5.0MB

Download
memory/936-267-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2248-4-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2248-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2248-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2248-144-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2248-159-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-10-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2248-15-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/2248-2-0x000000001B690000-0x000000001B7BE000-memory.dmp

Filesize
1.2MB

Download
memory/2248-222-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-3-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-1-0x0000000000950000-0x0000000000E44000-memory.dmp

Filesize
5.0MB

Download
memory/2248-16-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2248-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2248-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2248-8-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2248-12-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2248-5-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2248-14-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2248-11-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2248-13-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2408-312-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2896-282-0x0000000000250000-0x0000000000744000-memory.dmp

Filesize
5.0MB

Download
memory/3052-206-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/3052-196-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download