dcrat | c1c0a02ee81af5dc6bb325de5e87983afc7817454a9b496858651fc49cc6069c

Analysis

max time kernel
116s
max time network
115s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa967e458d7f812686b7576df2f8610N.exe
Size

4.9MB
MD5

3fa967e458d7f812686b7576df2f8610
SHA1

026e534665614441cba339ff25e6cf9228a2c0ce
SHA256

c1c0a02ee81af5dc6bb325de5e87983afc7817454a9b496858651fc49cc6069c
SHA512

763e9f9f3a046759c416bb7fed4329ae1c4f420a53f7f3fc34dc87b931e531ee6a6c9c8605156485c4b305a297fd075667f38f81d10bff9f847ecbbe29cb976d
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2384	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2384	schtasks.exe	31

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2488-2-0x000000001B1D0000-0x000000001B2FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1896	powershell.exe
1812	powershell.exe
2864	powershell.exe
2728	powershell.exe
2424	powershell.exe
2888	powershell.exe
2940	powershell.exe
2880	powershell.exe
1184	powershell.exe
2960	powershell.exe
2896	powershell.exe
2380	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1980	lsm.exe
1920	lsm.exe
2572	lsm.exe
1160	lsm.exe
2488	lsm.exe
2436	lsm.exe
1960	lsm.exe
928	lsm.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fa967e458d7f812686b7576df2f8610N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\wininit.exe	3fa967e458d7f812686b7576df2f8610N.exe
File created	C:\Program Files\Common Files\56085415360792	3fa967e458d7f812686b7576df2f8610N.exe
File created	C:\Program Files (x86)\MSBuild\csrss.exe	3fa967e458d7f812686b7576df2f8610N.exe
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	3fa967e458d7f812686b7576df2f8610N.exe
File opened for modification	C:\Program Files\Common Files\RCXEB5B.tmp	3fa967e458d7f812686b7576df2f8610N.exe
File opened for modification	C:\Program Files\Common Files\wininit.exe	3fa967e458d7f812686b7576df2f8610N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXED6F.tmp	3fa967e458d7f812686b7576df2f8610N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\csrss.exe	3fa967e458d7f812686b7576df2f8610N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
3052	schtasks.exe
2800	schtasks.exe
2836	schtasks.exe
2600	schtasks.exe
2532	schtasks.exe
2080	schtasks.exe
2076	schtasks.exe
2720	schtasks.exe
1272	schtasks.exe
2676	schtasks.exe
2120	schtasks.exe
2548	schtasks.exe
2328	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2488	3fa967e458d7f812686b7576df2f8610N.exe
2488	3fa967e458d7f812686b7576df2f8610N.exe
2488	3fa967e458d7f812686b7576df2f8610N.exe
2488	3fa967e458d7f812686b7576df2f8610N.exe
2488	3fa967e458d7f812686b7576df2f8610N.exe
2488	3fa967e458d7f812686b7576df2f8610N.exe
2488	3fa967e458d7f812686b7576df2f8610N.exe
2728	powershell.exe
2880	powershell.exe
2888	powershell.exe
2940	powershell.exe
1184	powershell.exe
2896	powershell.exe
2424	powershell.exe
2960	powershell.exe
2864	powershell.exe
1896	powershell.exe
2380	powershell.exe
1812	powershell.exe
1980	lsm.exe
1920	lsm.exe
2572	lsm.exe
1160	lsm.exe
2488	lsm.exe
2436	lsm.exe
1960	lsm.exe
928	lsm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	3fa967e458d7f812686b7576df2f8610N.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1980	lsm.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1920	lsm.exe
Token: SeDebugPrivilege	2572	lsm.exe
Token: SeDebugPrivilege	1160	lsm.exe
Token: SeDebugPrivilege	2488	lsm.exe
Token: SeDebugPrivilege	2436	lsm.exe
Token: SeDebugPrivilege	1960	lsm.exe
Token: SeDebugPrivilege	928	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1896	2488	3fa967e458d7f812686b7576df2f8610N.exe	47
PID 2488 wrote to memory of 1896	2488	3fa967e458d7f812686b7576df2f8610N.exe	47
PID 2488 wrote to memory of 1896	2488	3fa967e458d7f812686b7576df2f8610N.exe	47
PID 2488 wrote to memory of 1812	2488	3fa967e458d7f812686b7576df2f8610N.exe	48
PID 2488 wrote to memory of 1812	2488	3fa967e458d7f812686b7576df2f8610N.exe	48
PID 2488 wrote to memory of 1812	2488	3fa967e458d7f812686b7576df2f8610N.exe	48
PID 2488 wrote to memory of 2888	2488	3fa967e458d7f812686b7576df2f8610N.exe	49
PID 2488 wrote to memory of 2888	2488	3fa967e458d7f812686b7576df2f8610N.exe	49
PID 2488 wrote to memory of 2888	2488	3fa967e458d7f812686b7576df2f8610N.exe	49
PID 2488 wrote to memory of 2940	2488	3fa967e458d7f812686b7576df2f8610N.exe	51
PID 2488 wrote to memory of 2940	2488	3fa967e458d7f812686b7576df2f8610N.exe	51
PID 2488 wrote to memory of 2940	2488	3fa967e458d7f812686b7576df2f8610N.exe	51
PID 2488 wrote to memory of 2896	2488	3fa967e458d7f812686b7576df2f8610N.exe	52
PID 2488 wrote to memory of 2896	2488	3fa967e458d7f812686b7576df2f8610N.exe	52
PID 2488 wrote to memory of 2896	2488	3fa967e458d7f812686b7576df2f8610N.exe	52
PID 2488 wrote to memory of 2728	2488	3fa967e458d7f812686b7576df2f8610N.exe	53
PID 2488 wrote to memory of 2728	2488	3fa967e458d7f812686b7576df2f8610N.exe	53
PID 2488 wrote to memory of 2728	2488	3fa967e458d7f812686b7576df2f8610N.exe	53
PID 2488 wrote to memory of 2864	2488	3fa967e458d7f812686b7576df2f8610N.exe	54
PID 2488 wrote to memory of 2864	2488	3fa967e458d7f812686b7576df2f8610N.exe	54
PID 2488 wrote to memory of 2864	2488	3fa967e458d7f812686b7576df2f8610N.exe	54
PID 2488 wrote to memory of 2880	2488	3fa967e458d7f812686b7576df2f8610N.exe	55
PID 2488 wrote to memory of 2880	2488	3fa967e458d7f812686b7576df2f8610N.exe	55
PID 2488 wrote to memory of 2880	2488	3fa967e458d7f812686b7576df2f8610N.exe	55
PID 2488 wrote to memory of 1184	2488	3fa967e458d7f812686b7576df2f8610N.exe	60
PID 2488 wrote to memory of 1184	2488	3fa967e458d7f812686b7576df2f8610N.exe	60
PID 2488 wrote to memory of 1184	2488	3fa967e458d7f812686b7576df2f8610N.exe	60
PID 2488 wrote to memory of 2960	2488	3fa967e458d7f812686b7576df2f8610N.exe	61
PID 2488 wrote to memory of 2960	2488	3fa967e458d7f812686b7576df2f8610N.exe	61
PID 2488 wrote to memory of 2960	2488	3fa967e458d7f812686b7576df2f8610N.exe	61
PID 2488 wrote to memory of 2380	2488	3fa967e458d7f812686b7576df2f8610N.exe	62
PID 2488 wrote to memory of 2380	2488	3fa967e458d7f812686b7576df2f8610N.exe	62
PID 2488 wrote to memory of 2380	2488	3fa967e458d7f812686b7576df2f8610N.exe	62
PID 2488 wrote to memory of 2424	2488	3fa967e458d7f812686b7576df2f8610N.exe	63
PID 2488 wrote to memory of 2424	2488	3fa967e458d7f812686b7576df2f8610N.exe	63
PID 2488 wrote to memory of 2424	2488	3fa967e458d7f812686b7576df2f8610N.exe	63
PID 2488 wrote to memory of 1980	2488	3fa967e458d7f812686b7576df2f8610N.exe	71
PID 2488 wrote to memory of 1980	2488	3fa967e458d7f812686b7576df2f8610N.exe	71
PID 2488 wrote to memory of 1980	2488	3fa967e458d7f812686b7576df2f8610N.exe	71
PID 1980 wrote to memory of 1384	1980	lsm.exe	72
PID 1980 wrote to memory of 1384	1980	lsm.exe	72
PID 1980 wrote to memory of 1384	1980	lsm.exe	72
PID 1980 wrote to memory of 1140	1980	lsm.exe	73
PID 1980 wrote to memory of 1140	1980	lsm.exe	73
PID 1980 wrote to memory of 1140	1980	lsm.exe	73
PID 1384 wrote to memory of 1920	1384	WScript.exe	74
PID 1384 wrote to memory of 1920	1384	WScript.exe	74
PID 1384 wrote to memory of 1920	1384	WScript.exe	74
PID 1920 wrote to memory of 2168	1920	lsm.exe	75
PID 1920 wrote to memory of 2168	1920	lsm.exe	75
PID 1920 wrote to memory of 2168	1920	lsm.exe	75
PID 1920 wrote to memory of 2124	1920	lsm.exe	76
PID 1920 wrote to memory of 2124	1920	lsm.exe	76
PID 1920 wrote to memory of 2124	1920	lsm.exe	76
PID 2168 wrote to memory of 2572	2168	WScript.exe	77
PID 2168 wrote to memory of 2572	2168	WScript.exe	77
PID 2168 wrote to memory of 2572	2168	WScript.exe	77
PID 2572 wrote to memory of 1184	2572	lsm.exe	78
PID 2572 wrote to memory of 1184	2572	lsm.exe	78
PID 2572 wrote to memory of 1184	2572	lsm.exe	78
PID 2572 wrote to memory of 1944	2572	lsm.exe	79
PID 2572 wrote to memory of 1944	2572	lsm.exe	79
PID 2572 wrote to memory of 1944	2572	lsm.exe	79
PID 1184 wrote to memory of 1160	1184	WScript.exe	80

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fa967e458d7f812686b7576df2f8610N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3fa967e458d7f812686b7576df2f8610N.exe
"C:\Users\Admin\AppData\Local\Temp\3fa967e458d7f812686b7576df2f8610N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
  "C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1980
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a60ca8-bc14-486c-afcd-5dbf5b326bfc.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
      C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f311eb3-93c6-407d-83f1-e2675130dedd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3255dde3-7af3-461e-98c4-d2ed44da1c33.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8605cbb8-4b3e-495a-9fad-bc87427e465f.vbs"
        9⤵
        
        PID:1896
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6242dbdf-f34a-472b-abb8-ff68f0133693.vbs"
        11⤵
        
        PID:2288
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae00f369-8a3c-4512-9622-529293ed25c5.vbs"
        13⤵
        
        PID:2236
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e774500-94ce-4e01-a6c8-ad6cc3116af3.vbs"
        15⤵
        
        PID:1988
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        
        C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e743a3d-68dd-4fd1-901e-aea9087bf097.vbs"
        17⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44803422-c96f-4dd7-b4b8-b787ce417c0c.vbs"
        17⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33bb1066-13e7-4009-bdc1-4fb2c5f4b675.vbs"
        15⤵
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f083294-cbd5-4e77-a3c0-ccb735065777.vbs"
        13⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b112672-9882-418a-bab2-217b9efe7529.vbs"
        11⤵
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f67a8e9b-7623-40d9-9015-6835ff790bce.vbs"
        9⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f863f5-1c7c-46ae-b035-048e66aaad31.vbs"
        7⤵
        
        PID:1944
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a605cb8-9cc8-45f2-9995-6244bb9a4d73.vbs"
        5⤵
        
        PID:2124
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2557ffa5-981c-491f-ac80-99271ee23475.vbs"
    3⤵
    PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fa967e458d7f812686b7576df2f8610N3" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\3fa967e458d7f812686b7576df2f8610N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fa967e458d7f812686b7576df2f8610N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\3fa967e458d7f812686b7576df2f8610N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fa967e458d7f812686b7576df2f8610N3" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\3fa967e458d7f812686b7576df2f8610N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe

Filesize
4.9MB

MD5
3fa967e458d7f812686b7576df2f8610

SHA1
026e534665614441cba339ff25e6cf9228a2c0ce

SHA256
c1c0a02ee81af5dc6bb325de5e87983afc7817454a9b496858651fc49cc6069c

SHA512
763e9f9f3a046759c416bb7fed4329ae1c4f420a53f7f3fc34dc87b931e531ee6a6c9c8605156485c4b305a297fd075667f38f81d10bff9f847ecbbe29cb976d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f311eb3-93c6-407d-83f1-e2675130dedd.vbs

Filesize
732B

MD5
bcd0ffe1afed33a1ca2fee1141adfedf

SHA1
7be8db99eb85872ba8652764ca78f93f603bfa65

SHA256
8444ae436334e0e887b790808d3ef6004b29ad351682903e55deb74e079871b6

SHA512
dce5c7d87dca161ac9642bf27ae59f9e972e1b8fc8ffb1cd67f8de9a9be62b72c7788d48f85873a47f8534bc32642bfb57d8b9b1a6a75985dbde184e7a27e2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e774500-94ce-4e01-a6c8-ad6cc3116af3.vbs

Filesize
732B

MD5
1a7dc6c0e82ac38b79aae10b30b74d3e

SHA1
32002c67c185cc4371a14a7eea4bd73e50d5b191

SHA256
89177496834d43efbda7058d3b6cd13b4d6aab97cb9bd3a200ec9f78b7d45def

SHA512
84a422f68c1e3e6cc10fd9bad6bab3aef8fd025f16b9e769be9105b4eec8ba63ed085d777e661066b60a1b7f1f597bfc210892242dcffc462cb3c6198a531df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2557ffa5-981c-491f-ac80-99271ee23475.vbs

Filesize
508B

MD5
93df47e2f40c970fe9e56c1902dd7a80

SHA1
cde6091483f71a99a665d459ef3cf4af35cfe0ee

SHA256
0ff7a417ad45542ae92478ea3a65d2455803e622f76b710687a9a2b381486098

SHA512
4fad03cf2795dc69d552bfbd6e48a3c13579e63d639560a38e5f4dfd40ae58d9bd5e02f4f5380087fe8d5bbbbac0f5d39a5f7e88f1b43ef680185a9bcb3f5457

Download Submit
C:\Users\Admin\AppData\Local\Temp\3255dde3-7af3-461e-98c4-d2ed44da1c33.vbs

Filesize
732B

MD5
2051a8e84102e910e4c7a6b4a4a53981

SHA1
821c3e2656cfb980154cd1f1594be1795b0160c2

SHA256
3f9093a48f27e0778649f1c00d29a82207496cb308a2b4582c43962a97a41239

SHA512
6532bd68f7167cb81fd7491e34c5b04701c45a9a25e22037a795a1a5d6c0c2ada806be7ad60021e51f9dbc397c7808ad97dda78dd2b162a6aa152a647c8afead

Download Submit
C:\Users\Admin\AppData\Local\Temp\6242dbdf-f34a-472b-abb8-ff68f0133693.vbs

Filesize
732B

MD5
6ba08a21c3fa9c191c27f52f621ae4fd

SHA1
e31146d51641f2663e55463a381c5628ad3ef9bc

SHA256
dc1b35ad79944c21ec11ab7fdfa35498542a3bf9fbe681afe1fa9cb6ca2804dc

SHA512
1c687418f117b4284ea8111444e43d49d859d71cca279789adf08d1e737ff3b3cbcdb01a4e3ef091d3e74be4c7bc01d24a9188f77320ba6ed8c1b0b1fce1195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8605cbb8-4b3e-495a-9fad-bc87427e465f.vbs

Filesize
732B

MD5
b451ebba8e3a5f7cfbf31ab6f447ee33

SHA1
2e2982391dbe3f3c32cb8c6b8ea61d80ccceade1

SHA256
81528371ae7b544f6f95655eed961cbd4310a517c6e519b7b64c42a48ee03ef8

SHA512
f7cd118cafdffd52c78900fa8888866b34216beff3c4a23e1ef11913f2fdc104d8f2d56cb9dae4a25e880a327cdcd02a9e074a6035d874dc8070ed1aa559fa7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e743a3d-68dd-4fd1-901e-aea9087bf097.vbs

Filesize
731B

MD5
5e3937770c6824ea834266a584881920

SHA1
2fd73630c8725d91ee140a75b514c6682ce597cf

SHA256
0d0dfdad90a7b12187e9a4971fa39a20c2a58fba93940a00ddd0625981490350

SHA512
df5115976951199241527f53f164c2bfe189826fd95092249b4d83c6b0e8929679c968ee02477579be9a6c39bf01d495abaf7157bbdf89ccf0dddb7d4d783d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\94a60ca8-bc14-486c-afcd-5dbf5b326bfc.vbs

Filesize
732B

MD5
33e75e235e7e5099d12f4216f97674ef

SHA1
ffa966a7f5982beb845799bd2451d7a72b5dfea2

SHA256
e35e69e51ba27a60a8ca9e27aab09021a246d697cc81b8f5d8c4de48abf9ef3c

SHA512
6d319d608e7690a046f6af678a1f28742ec03961b8a601bb5720350153c841449137f17071c37ec7f724a9bdcf5ca098f490e6317e198a10d98d8c3917408567

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae00f369-8a3c-4512-9622-529293ed25c5.vbs

Filesize
732B

MD5
1d39023e291561fca25ae9d4c0d2f147

SHA1
9597cdd3561b4737c3be6f85037f3f627c576a2e

SHA256
e6bb4e5cbc6d431cbef90a7b819c9d8b6dab080eafb25b7142cf5f628c2541c3

SHA512
45685af67eabb5fb2af850a8801ea96fca94f63f14917d6f96f5c4608abf17aa3834ca54c6ac865dd63eda5bd1bbebe9016ceb59fcb63d72e41c279cb7644fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A8.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NETGUUD5AN8C15P9SJ1U.temp

Filesize
7KB

MD5
aadc05b409838b1a8b7d5036f00c6f46

SHA1
40d297fb56ec83bc377a71d0e46a24e999fb885e

SHA256
6b7858004f22cb3201871b99713c5634b3c41d3eb05fbee8ac842fbbce157c10

SHA512
6c60b58e3800e20940ccc782993ca24ffced3b0926a111002c742ce90470fc8e3e6ce9c35be5050843bf1733d4def1f6c2275bc241173789ad3e23af7e98ace0

Download Submit
memory/928-228-0x0000000001050000-0x0000000001544000-memory.dmp

Filesize
5.0MB

Download
memory/1920-138-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/1960-212-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/1960-213-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/1980-103-0x0000000000960000-0x0000000000E54000-memory.dmp

Filesize
5.0MB

Download
memory/2436-197-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2488-10-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/2488-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2488-9-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2488-2-0x000000001B1D0000-0x000000001B2FE000-memory.dmp

Filesize
1.2MB

Download
memory/2488-105-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-14-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2488-13-0x00000000023D0000-0x00000000023DE000-memory.dmp

Filesize
56KB

Download
memory/2488-12-0x00000000023C0000-0x00000000023CE000-memory.dmp

Filesize
56KB

Download
memory/2488-7-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/2488-15-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2488-1-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/2488-3-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-11-0x00000000023B0000-0x00000000023BA000-memory.dmp

Filesize
40KB

Download
memory/2488-182-0x00000000011D0000-0x00000000016C4000-memory.dmp

Filesize
5.0MB

Download
memory/2488-8-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2488-16-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/2488-6-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2488-5-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2488-4-0x0000000000880000-0x000000000089C000-memory.dmp

Filesize
112KB

Download
memory/2572-153-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/2728-102-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2888-104-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download