dcrat | ca018a6c42cbcff62953c8df1a288d315d86f182876a8037b41d02a604e2191f

Analysis

max time kernel
118s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b026a4ecfe2b95b153f91b7c0c854200N.exe
Size

4.9MB
MD5

b026a4ecfe2b95b153f91b7c0c854200
SHA1

687a6bfae0785206cdd4577755626d046e844015
SHA256

ca018a6c42cbcff62953c8df1a288d315d86f182876a8037b41d02a604e2191f
SHA512

0afebbee95f50178db721ecb1f4aca644d9357d6ac9a7825ac775f83372fb9c0b7a56878f94dbe08e5d48bd0fe566cabc4f9b4195c218d1ff48aef3c22853388
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	484	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	484	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2128-3-0x000000001B340000-0x000000001B46E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
2764	powershell.exe
1684	powershell.exe
1392	powershell.exe
664	powershell.exe
1116	powershell.exe
1480	powershell.exe
3036	powershell.exe
2832	powershell.exe
1800	powershell.exe
1248	powershell.exe
2680	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1676	services.exe
1996	services.exe
2688	services.exe
2372	services.exe
3064	services.exe
2028	services.exe
1652	services.exe
2660	services.exe
2972	services.exe
1824	services.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCXEE21.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXDA88.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXDCBA.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\explorer.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\886983d96e3d3e	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\WMIADAP.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\7-Zip\Lang\7a0fd90576e088	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\Windows Mail\es-ES\WMIADAP.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\RCXEA1A.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\lsass.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\7a0fd90576e088	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\6203df4a6bafc7	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXE612.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\MSBuild\Microsoft\taskhost.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\7-Zip\Lang\explorer.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\explorer.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\taskhost.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\Windows Mail\es-ES\75a57c1bdf437c	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXF70B.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\5940a34987c991	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\dllhost.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\dllhost.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCXEC1E.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\MSBuild\Microsoft\b75386f1303e64	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\lsass.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\explorer.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\OSPPSVC.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Windows\PolicyDefinitions\1610b97d3ab4a7	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXF025.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Windows\PolicyDefinitions\OSPPSVC.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1784	schtasks.exe
2888	schtasks.exe
1856	schtasks.exe
2012	schtasks.exe
1316	schtasks.exe
2940	schtasks.exe
1344	schtasks.exe
2880	schtasks.exe
1512	schtasks.exe
1984	schtasks.exe
2488	schtasks.exe
1080	schtasks.exe
2920	schtasks.exe
1564	schtasks.exe
356	schtasks.exe
2776	schtasks.exe
2384	schtasks.exe
2852	schtasks.exe
2600	schtasks.exe
1140	schtasks.exe
1888	schtasks.exe
2512	schtasks.exe
3060	schtasks.exe
2196	schtasks.exe
1536	schtasks.exe
2632	schtasks.exe
1988	schtasks.exe
1884	schtasks.exe
1960	schtasks.exe
1880	schtasks.exe
2816	schtasks.exe
2840	schtasks.exe
2964	schtasks.exe
1932	schtasks.exe
2024	schtasks.exe
908	schtasks.exe
2648	schtasks.exe
3044	schtasks.exe
1688	schtasks.exe
2732	schtasks.exe
592	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2128	b026a4ecfe2b95b153f91b7c0c854200N.exe
1116	powershell.exe
2680	powershell.exe
2832	powershell.exe
2764	powershell.exe
1248	powershell.exe
1800	powershell.exe
1480	powershell.exe
2660	powershell.exe
1392	powershell.exe
3036	powershell.exe
1684	powershell.exe
664	powershell.exe
1676	services.exe
1996	services.exe
2688	services.exe
2372	services.exe
3064	services.exe
2028	services.exe
1652	services.exe
2660	services.exe
2972	services.exe
1824	services.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1676	services.exe
Token: SeDebugPrivilege	1996	services.exe
Token: SeDebugPrivilege	2688	services.exe
Token: SeDebugPrivilege	2372	services.exe
Token: SeDebugPrivilege	3064	services.exe
Token: SeDebugPrivilege	2028	services.exe
Token: SeDebugPrivilege	1652	services.exe
Token: SeDebugPrivilege	2660	services.exe
Token: SeDebugPrivilege	2972	services.exe
Token: SeDebugPrivilege	1824	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2680	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	74
PID 2128 wrote to memory of 2680	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	74
PID 2128 wrote to memory of 2680	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	74
PID 2128 wrote to memory of 3036	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	75
PID 2128 wrote to memory of 3036	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	75
PID 2128 wrote to memory of 3036	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	75
PID 2128 wrote to memory of 2660	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	77
PID 2128 wrote to memory of 2660	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	77
PID 2128 wrote to memory of 2660	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	77
PID 2128 wrote to memory of 1480	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	78
PID 2128 wrote to memory of 1480	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	78
PID 2128 wrote to memory of 1480	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	78
PID 2128 wrote to memory of 1116	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	79
PID 2128 wrote to memory of 1116	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	79
PID 2128 wrote to memory of 1116	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	79
PID 2128 wrote to memory of 2832	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	80
PID 2128 wrote to memory of 2832	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	80
PID 2128 wrote to memory of 2832	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	80
PID 2128 wrote to memory of 664	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	81
PID 2128 wrote to memory of 664	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	81
PID 2128 wrote to memory of 664	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	81
PID 2128 wrote to memory of 1248	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	82
PID 2128 wrote to memory of 1248	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	82
PID 2128 wrote to memory of 1248	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	82
PID 2128 wrote to memory of 1392	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	83
PID 2128 wrote to memory of 1392	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	83
PID 2128 wrote to memory of 1392	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	83
PID 2128 wrote to memory of 1684	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	85
PID 2128 wrote to memory of 1684	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	85
PID 2128 wrote to memory of 1684	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	85
PID 2128 wrote to memory of 2764	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	86
PID 2128 wrote to memory of 2764	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	86
PID 2128 wrote to memory of 2764	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	86
PID 2128 wrote to memory of 1800	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	87
PID 2128 wrote to memory of 1800	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	87
PID 2128 wrote to memory of 1800	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	87
PID 2128 wrote to memory of 1676	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	98
PID 2128 wrote to memory of 1676	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	98
PID 2128 wrote to memory of 1676	2128	b026a4ecfe2b95b153f91b7c0c854200N.exe	98
PID 1676 wrote to memory of 2612	1676	services.exe	99
PID 1676 wrote to memory of 2612	1676	services.exe	99
PID 1676 wrote to memory of 2612	1676	services.exe	99
PID 1676 wrote to memory of 3052	1676	services.exe	100
PID 1676 wrote to memory of 3052	1676	services.exe	100
PID 1676 wrote to memory of 3052	1676	services.exe	100
PID 2612 wrote to memory of 1996	2612	WScript.exe	101
PID 2612 wrote to memory of 1996	2612	WScript.exe	101
PID 2612 wrote to memory of 1996	2612	WScript.exe	101
PID 1996 wrote to memory of 2064	1996	services.exe	102
PID 1996 wrote to memory of 2064	1996	services.exe	102
PID 1996 wrote to memory of 2064	1996	services.exe	102
PID 1996 wrote to memory of 2220	1996	services.exe	103
PID 1996 wrote to memory of 2220	1996	services.exe	103
PID 1996 wrote to memory of 2220	1996	services.exe	103
PID 2064 wrote to memory of 2688	2064	WScript.exe	104
PID 2064 wrote to memory of 2688	2064	WScript.exe	104
PID 2064 wrote to memory of 2688	2064	WScript.exe	104
PID 2688 wrote to memory of 1764	2688	services.exe	105
PID 2688 wrote to memory of 1764	2688	services.exe	105
PID 2688 wrote to memory of 1764	2688	services.exe	105
PID 2688 wrote to memory of 2012	2688	services.exe	106
PID 2688 wrote to memory of 2012	2688	services.exe	106
PID 2688 wrote to memory of 2012	2688	services.exe	106
PID 1764 wrote to memory of 2372	1764	WScript.exe	107

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b026a4ecfe2b95b153f91b7c0c854200N.exe
"C:\Users\Admin\AppData\Local\Temp\b026a4ecfe2b95b153f91b7c0c854200N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Users\Default User\services.exe
  "C:\Users\Default User\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1676
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c59d70e-cd81-47e7-9254-1395d9fd2447.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Default User\services.exe
      "C:\Users\Default User\services.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1996
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74b9ea44-78dc-42ae-b851-11ce478060cf.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc12d4bd-6f9a-4bdb-8596-1cbac18dbe56.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35699a39-3e09-4f98-93fd-ac3cc8bccee6.vbs"
        9⤵
        
        PID:2800
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b53c8a9-f84d-4ed8-a5d0-7d553d29982c.vbs"
        11⤵
        
        PID:1052
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\401154a7-3454-44db-9558-bb5b3ffcb632.vbs"
        13⤵
        
        PID:2488
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4977c9ff-b00c-46fa-ab64-6114b7aa0111.vbs"
        15⤵
        
        PID:1856
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a293b73b-f4d6-447d-900b-e03c7fb2b40b.vbs"
        17⤵
        
        PID:2916
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cdb93f9-23f0-4c43-af71-c55c02f04ae0.vbs"
        19⤵
        
        PID:2536
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56e1aecb-6b60-422b-a763-c226d0caf421.vbs"
        21⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b16af4-3037-42d9-8d53-ce80d058c391.vbs"
        21⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9ab45d2-9104-459c-a9c3-2bc512aa315f.vbs"
        19⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a18ccb65-b9c5-4897-adc0-18886f4a6c11.vbs"
        17⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77bbe2cc-7184-4784-96c9-a3df7f5cfdb9.vbs"
        15⤵
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f74b00e0-e355-454c-ba7e-e59f52245ec9.vbs"
        13⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb71e240-7952-4d1c-b00e-e88819d47fa3.vbs"
        11⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a943edb4-b0d5-4f8a-87cb-f20642cc9656.vbs"
        9⤵
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae8a9310-d649-4928-acc2-d153b4521c3f.vbs"
        7⤵
        
        PID:2012
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97bcfb99-4a8d-4ade-bc87-14c2213551ae.vbs"
        5⤵
        
        PID:2220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef3cd1d6-a508-41dc-bd11-f848a06b91d2.vbs"
    3⤵
    PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b53c8a9-f84d-4ed8-a5d0-7d553d29982c.vbs

Filesize
710B

MD5
b17845eb4d3f3a453428c47f1948116d

SHA1
85cbc26b3d05dcf4f927c4b9f350f337c1cc03e2

SHA256
ac8025e650adb570f88c562542b82a2b09c5b878cbfec895fd5de7c3de0444cb

SHA512
ea5c8ae230f14e63f6a9d7f26e4e08e75ba78fbf2cb8806dca53e1a33877d2631b779620fa267ba0e118ecf38214a9ed9f04f67c61511bf007871e91a392d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\35699a39-3e09-4f98-93fd-ac3cc8bccee6.vbs

Filesize
710B

MD5
147badf314faebbc9b160ad61a314502

SHA1
4eb13f12c613240dcacfdbea79f257741fac2198

SHA256
624fabedad27bdabd2d5d167d844fe11882c90437c5137acb265bd3ec92501eb

SHA512
4524c4f9129a8850ccc8adb39e7b5a5ef851c2fe7641b5c695cad05eeb805516fde3cfcda1c9be3e89e73a0abb655eb232e0cc436b4bc1686802fa589dac1ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c59d70e-cd81-47e7-9254-1395d9fd2447.vbs

Filesize
710B

MD5
00ffbceed5f8ea60cb5dee6aecb9880c

SHA1
c898b704e7165850dd23ff87a04db068415ac049

SHA256
f88b14a5f8fc1fe0da65d6775ebf5cbc441725e73d447400494a882340e5217a

SHA512
d5773ce2f5a43be49abf10ae8ded9a2b4a7b843dcb8c9eaf75802e939c881091fad62397847dbef7255f919f84195d4bdcf9bb1ea521b5317e5c140fe967167d

Download Submit
C:\Users\Admin\AppData\Local\Temp\401154a7-3454-44db-9558-bb5b3ffcb632.vbs

Filesize
710B

MD5
994d56a0fde3f6aa6bd082c22c7a1f89

SHA1
cf7de245be11347b0d4c900a58c6155ebbaaa9d9

SHA256
4d5a754b1ce3642ae81e13600a368e0b67f67f691063670354fc213b7b263aa5

SHA512
2afaebd71e946eb7468946c2c0a02127e0fdb97c9be8bd2559b4f3fbb3e74079f9a1baacbf5ed1858dd9c14518440ded97ecf76f96d0c33f2f6bdd1fd46a24b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4977c9ff-b00c-46fa-ab64-6114b7aa0111.vbs

Filesize
710B

MD5
3fe4920a04953ca846562d44b4b04e57

SHA1
28e5cff1c9e0e0638ba251fe6937190a82c9e373

SHA256
76695acb4b753cdbb1295e5ce53ad9e5a9ac0e0041aa442ee1c42fcb5ca15f8e

SHA512
c2018e0b30c2eafc02027b198568cc61bae30a09a0fe5c51c38566faffe7641f1ecdae98a82194d9357b049f4cc7b1bee65fce590f01b2f59a642e786c6e6229

Download Submit
C:\Users\Admin\AppData\Local\Temp\56e1aecb-6b60-422b-a763-c226d0caf421.vbs

Filesize
710B

MD5
f4cd7c0b71881a14ac729619ea58079b

SHA1
7bb6227145979ad32d473e9201a9c017963d58fc

SHA256
7a89622bd9271dff6f87d2f33602fbc915e006958806e8141daa8e6b251ac5de

SHA512
427de32a307a3032f982dad805f0caba9f79c356ac2240f3bc1678c1f2688bcad6f472913c247e20085be04c4ec7097dc8191d9632145efd7903ea4cfa473651

Download Submit
C:\Users\Admin\AppData\Local\Temp\74b9ea44-78dc-42ae-b851-11ce478060cf.vbs

Filesize
710B

MD5
1487b912a281863fd607cdc7510ef9cd

SHA1
612f9ee4eabce49a9f843881a27545ca649dd4d1

SHA256
4e28a53205d89f99265dc6ecff917e02c929cd410c01edb362752999d84528c0

SHA512
ed3a8251a225f7fb735f6408f991b1def755d34c7687b9a4ba8b69146ab7a43e6c2f7daa2cec053979aca1304dca228bcdf250a3b2c8081e65997e003835654a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cdb93f9-23f0-4c43-af71-c55c02f04ae0.vbs

Filesize
710B

MD5
e192e2a872b17629ed67c34707d92d3d

SHA1
6b5af91cc441c8529bad54d4ccb9e4e3a460e5ec

SHA256
0d012ffc1f9d0d1477ae6bc23da5c7cf5af93e316eab111b9b60b659b470c02b

SHA512
207abb94f2599de3150b402ab09e1aacb05bef87ef21821a01a10c797ae4d5dcbdbe5001724b0a3de8a3bcebebb2c64766acacc3a6ab63d17ab6e0dd22141835

Download Submit
C:\Users\Admin\AppData\Local\Temp\a293b73b-f4d6-447d-900b-e03c7fb2b40b.vbs

Filesize
710B

MD5
ee82e3829350dc7116c9b2939777b7fb

SHA1
c2b09036ded85bc1379aa854ca6f60b6fc4aa1c3

SHA256
e53c7bd8366c888becc771c4e8bc165c0380d0e0394f4456868b138a3b801390

SHA512
57dee2f1f93359a22d7f4c5f919f70b4f9173f2a6a8b974d0afd5a4f13321b371567ed3d487f5335170c7804f1e44bbc7823f6236341744f59e1cf66bf642889

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc12d4bd-6f9a-4bdb-8596-1cbac18dbe56.vbs

Filesize
710B

MD5
919bff5f6d3ee8ba0399909719337a3f

SHA1
febfdc5fbb4521901664a0fc9632e1e23567b103

SHA256
90c534c454e7c3f599f80cc3ead4a6408748e18af9dd4090e7efc2af0b9e0a4a

SHA512
249983e96bcf7dce89e5c5aa43d37f8b93b6a55f76102f0430a955f50a092ba22c27041ad8c0553a28fb2c604cb2aee7eb097cdce85b67863d23bc42d3be5819

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddd1e17670373e33c95e500db3664a00d1963bb2.exe

Filesize
4.9MB

MD5
ad035c4017a50f681d9748abac6d4327

SHA1
6e95eaafa2c1c65af289f683a3405f88d4aa7a94

SHA256
0e6b885d44451ed4aa5a89514c50bb459e4a873039ec4179dcb95d04cef1633c

SHA512
b8d34af9f1df11a752607f60c5fc4620b16bbad7c190479af865f05276b122e445585af2f42541723853b351a522aaec83ea2cc37f4af00514a8b679fb003783

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef3cd1d6-a508-41dc-bd11-f848a06b91d2.vbs

Filesize
486B

MD5
eb077f23f9f39264f357325e8ce03ba6

SHA1
e2b4b675f1e4b7333360a9286a6b6421b68e8fc9

SHA256
0e6765a99beeb69bf404661a770289c2148cfacb4676840a2a4782a5576d1c39

SHA512
e218ef5e9337b3ff435e463f22f193990768c3b36d456ba1a864106678f595f268dfa6f132b4319bebd3c94550736c07411e0e64ae5217236c2584dccbdbb7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp934.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
29917eea167221fb62331c8ea6028c86

SHA1
5c788d76097a00ed401186ea6aed7ff846432fca

SHA256
3e94b6f5de0ae68d9d46ee0de6446fad092d5e84d1aa2de60479644af26b7b9d

SHA512
fd9e3fa00cb7103c94f527287265e82129193697788abd50d60951dac8081e500e98fbd13cb7786ac8df459991dc1167bf8793e0eb9e0d9742564426cd8d9390

Download Submit
C:\Users\Default\services.exe

Filesize
4.9MB

MD5
b026a4ecfe2b95b153f91b7c0c854200

SHA1
687a6bfae0785206cdd4577755626d046e844015

SHA256
ca018a6c42cbcff62953c8df1a288d315d86f182876a8037b41d02a604e2191f

SHA512
0afebbee95f50178db721ecb1f4aca644d9357d6ac9a7825ac775f83372fb9c0b7a56878f94dbe08e5d48bd0fe566cabc4f9b4195c218d1ff48aef3c22853388

Download Submit
C:\Users\Default\services.exe

Filesize
4.9MB

MD5
a2bea1d84eb26406035fc6fcc4282868

SHA1
43f4cf496184b4ff45094b9dd4a6355b1ec4c6b1

SHA256
d21aedd14f051f9f6c54bbc3e23d792779c6d7f311f0a79bfd316ec09d6ab035

SHA512
0acd319d01a85cd6c69d09f00d437af93da42967cb8bad020268a51d2b92af364b687fccb333fac0d8cf0549cc220647866dbab55422749c87f3b763ff62eaf0

Download Submit
memory/1116-158-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1116-159-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1652-301-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/1676-162-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/1676-214-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/1824-346-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/1996-228-0x0000000000B30000-0x0000000001024000-memory.dmp

Filesize
5.0MB

Download
memory/2028-286-0x0000000001360000-0x0000000001854000-memory.dmp

Filesize
5.0MB

Download
memory/2128-11-0x00000000024B0000-0x00000000024BA000-memory.dmp

Filesize
40KB

Download
memory/2128-10-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2128-163-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-136-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2128-16-0x0000000002690000-0x000000000269C000-memory.dmp

Filesize
48KB

Download
memory/2128-15-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2128-14-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2128-12-0x00000000024C0000-0x00000000024CE000-memory.dmp

Filesize
56KB

Download
memory/2128-13-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/2128-1-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/2128-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2128-193-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2128-8-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2128-7-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2128-5-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2128-2-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-6-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2128-3-0x000000001B340000-0x000000001B46E000-memory.dmp

Filesize
1.2MB

Download
memory/2128-4-0x0000000000920000-0x000000000093C000-memory.dmp

Filesize
112KB

Download
memory/2372-257-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2660-316-0x0000000000950000-0x0000000000E44000-memory.dmp

Filesize
5.0MB

Download
memory/2972-331-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download