dcrat | ae9589d8290da8ddfbc081f3ecdb50857abcb22a7977d0c957f81b625a361781

Analysis

max time kernel
119s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Size

4.9MB
MD5

3b6fd6541d4ddab0edbd51aa2f87e2b0
SHA1

a3e3dd0b42b506cab76d452088db7555dbdfa9fc
SHA256

ae9589d8290da8ddfbc081f3ecdb50857abcb22a7977d0c957f81b625a361781
SHA512

e9a5689f29ca646e76f5699a26a0ae5ed1b6a9e3a10260571f95ec15da1bb4bea1cf216035b4cbbe3a004884a233885d6cb779335de73b3f9521095994dd2b4a
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2736	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe3b6fd6541d4ddab0edbd51aa2f87e2b0N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1876-2-0x000000001BA30000-0x000000001BB5E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3032	powershell.exe
2496	powershell.exe
1396	powershell.exe
1740	powershell.exe
2432	powershell.exe
568	powershell.exe
2500	powershell.exe
236	powershell.exe
1644	powershell.exe
1400	powershell.exe
2916	powershell.exe
1848	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	process
2664	Idle.exe
2296	Idle.exe
1516	Idle.exe
2840	Idle.exe
1732	Idle.exe
824	Idle.exe
2216	Idle.exe
2788	Idle.exe
2108	Idle.exe
2220	Idle.exe
2140	Idle.exe
2124	Idle.exe
2892	Idle.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Idle.exeIdle.exeIdle.exe3b6fd6541d4ddab0edbd51aa2f87e2b0N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 12 IoCs

Processes:

3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\24dbde2999530e	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Program Files (x86)\Google\Temp\lsass.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Program Files\Internet Explorer\en-US\6cb0b6c459d5d3	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\RCXB4D.tmp	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDCD.tmp	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCXFF0.tmp	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Program Files (x86)\Google\Temp\6203df4a6bafc7	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Program Files\Internet Explorer\en-US\dwm.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\lsass.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\dwm.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe

Drops file in Windows directory 8 IoCs

Processes:

3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe

description	ioc	process
File created	C:\Windows\Web\6ccacd8608530f	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Windows\tracing\csrss.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Windows\tracing\886983d96e3d3e	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Windows\Web\RCX521.tmp	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Windows\Web\Idle.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Windows\tracing\RCX744.tmp	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File opened for modification	C:\Windows\tracing\csrss.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
File created	C:\Windows\Web\Idle.exe	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
652	schtasks.exe
1884	schtasks.exe
800	schtasks.exe
2864	schtasks.exe
2992	schtasks.exe
2012	schtasks.exe
2428	schtasks.exe
552	schtasks.exe
2724	schtasks.exe
2808	schtasks.exe
2980	schtasks.exe
1308	schtasks.exe
1212	schtasks.exe
852	schtasks.exe
2672	schtasks.exe
2584	schtasks.exe
2128	schtasks.exe
2840	schtasks.exe
2556	schtasks.exe
2996	schtasks.exe
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

3b6fd6541d4ddab0edbd51aa2f87e2b0N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	process
1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
1400	powershell.exe
236	powershell.exe
2496	powershell.exe
2432	powershell.exe
568	powershell.exe
2500	powershell.exe
1848	powershell.exe
1396	powershell.exe
1740	powershell.exe
3032	powershell.exe
1644	powershell.exe
2916	powershell.exe
2664	Idle.exe
2296	Idle.exe
1516	Idle.exe
2840	Idle.exe
1732	Idle.exe
824	Idle.exe
2216	Idle.exe
2788	Idle.exe
2108	Idle.exe
2220	Idle.exe
2140	Idle.exe
2124	Idle.exe
2892	Idle.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2664	Idle.exe
Token: SeDebugPrivilege	2296	Idle.exe
Token: SeDebugPrivilege	1516	Idle.exe
Token: SeDebugPrivilege	2840	Idle.exe
Token: SeDebugPrivilege	1732	Idle.exe
Token: SeDebugPrivilege	824	Idle.exe
Token: SeDebugPrivilege	2216	Idle.exe
Token: SeDebugPrivilege	2788	Idle.exe
Token: SeDebugPrivilege	2108	Idle.exe
Token: SeDebugPrivilege	2220	Idle.exe
Token: SeDebugPrivilege	2140	Idle.exe
Token: SeDebugPrivilege	2124	Idle.exe
Token: SeDebugPrivilege	2892	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b6fd6541d4ddab0edbd51aa2f87e2b0N.exeIdle.exeWScript.exeIdle.exeWScript.exeIdle.exeWScript.exe

description	pid	process	target process
PID 1876 wrote to memory of 3032	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 3032	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 3032	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2500	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2500	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2500	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 236	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 236	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 236	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2496	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2496	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2496	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1644	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1644	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1644	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 568	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 568	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 568	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2432	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2432	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2432	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1848	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1848	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1848	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1400	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1400	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1400	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2916	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2916	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2916	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1396	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1396	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1396	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1740	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1740	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 1740	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	powershell.exe
PID 1876 wrote to memory of 2664	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	Idle.exe
PID 1876 wrote to memory of 2664	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	Idle.exe
PID 1876 wrote to memory of 2664	1876	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe	Idle.exe
PID 2664 wrote to memory of 704	2664	Idle.exe	WScript.exe
PID 2664 wrote to memory of 704	2664	Idle.exe	WScript.exe
PID 2664 wrote to memory of 704	2664	Idle.exe	WScript.exe
PID 2664 wrote to memory of 2156	2664	Idle.exe	WScript.exe
PID 2664 wrote to memory of 2156	2664	Idle.exe	WScript.exe
PID 2664 wrote to memory of 2156	2664	Idle.exe	WScript.exe
PID 704 wrote to memory of 2296	704	WScript.exe	Idle.exe
PID 704 wrote to memory of 2296	704	WScript.exe	Idle.exe
PID 704 wrote to memory of 2296	704	WScript.exe	Idle.exe
PID 2296 wrote to memory of 796	2296	Idle.exe	WScript.exe
PID 2296 wrote to memory of 796	2296	Idle.exe	WScript.exe
PID 2296 wrote to memory of 796	2296	Idle.exe	WScript.exe
PID 2296 wrote to memory of 1324	2296	Idle.exe	WScript.exe
PID 2296 wrote to memory of 1324	2296	Idle.exe	WScript.exe
PID 2296 wrote to memory of 1324	2296	Idle.exe	WScript.exe
PID 796 wrote to memory of 1516	796	WScript.exe	Idle.exe
PID 796 wrote to memory of 1516	796	WScript.exe	Idle.exe
PID 796 wrote to memory of 1516	796	WScript.exe	Idle.exe
PID 1516 wrote to memory of 2356	1516	Idle.exe	WScript.exe
PID 1516 wrote to memory of 2356	1516	Idle.exe	WScript.exe
PID 1516 wrote to memory of 2356	1516	Idle.exe	WScript.exe
PID 1516 wrote to memory of 1952	1516	Idle.exe	WScript.exe
PID 1516 wrote to memory of 1952	1516	Idle.exe	WScript.exe
PID 1516 wrote to memory of 1952	1516	Idle.exe	WScript.exe
PID 2356 wrote to memory of 2840	2356	WScript.exe	Idle.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

3b6fd6541d4ddab0edbd51aa2f87e2b0N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3b6fd6541d4ddab0edbd51aa2f87e2b0N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b1d6d79-1336-4777-af8a-93f25812b22a.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ebc0e66-06fd-419d-8066-3ffbfd26453b.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05bab65b-92e6-43e4-83da-3fdd4ab2d04d.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b82b5b-dcd6-4857-b3ed-1106231dd29f.vbs"
9⤵
PID:1840

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\282582a3-d3df-4529-86a4-b63a1d12e69a.vbs"
11⤵
PID:2208

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ad122c-4ef9-4b35-8155-9315ab08e794.vbs"
13⤵
PID:1772

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854c6dd5-969b-46da-b107-c51aa3bd36e7.vbs"
15⤵
PID:2444

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9322b511-65bf-4673-88e5-da190e5b7d97.vbs"
17⤵
PID:2356

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf4736ee-5e0c-408e-8b3b-565d8deca95a.vbs"
19⤵
PID:2860

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7607a6b2-1016-4ab1-a53f-3fffe681df07.vbs"
21⤵
PID:2700

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e623e6-bb31-4e9a-91a4-cbb0a5c86b4d.vbs"
23⤵
PID:1588

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8929ea2d-2e02-4fd7-94e6-62369a4e3010.vbs"
25⤵
PID:2628

C:\Windows\Web\Idle.exe
C:\Windows\Web\Idle.exe
26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c884a8b5-e739-482b-84e6-1dce127de029.vbs"
27⤵
PID:2292

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b347c2-083d-40e7-992e-60fde1c6b023.vbs"
27⤵
PID:2212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\405c7986-d74f-4a09-9bb1-99866345fcf3.vbs"
25⤵
PID:1400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b469f34-18ee-47e6-a4f0-293029562b87.vbs"
23⤵
PID:1884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16a86f5-a28d-47c9-814e-e75d949d5036.vbs"
21⤵
PID:2572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebef3c7c-b642-4180-96fd-4669db5fbca6.vbs"
19⤵
PID:2228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a1620b-7d6f-4363-8027-96a50dbb39e4.vbs"
17⤵
PID:2348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ce5b1bb-7f34-4600-bb78-3d31480576b5.vbs"
15⤵
PID:2200

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\752f93ea-ce07-4187-a23a-fb1022b10d85.vbs"
13⤵
PID:2428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d62ff8e9-47f2-4265-b888-2491c30e95a2.vbs"
11⤵
PID:2744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\838673e7-743d-464e-9204-be5895e0b78d.vbs"
9⤵
PID:2752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffe47dfb-0cc9-49c9-9d3e-23423cd375e9.vbs"
7⤵
PID:1952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcaff32e-4927-4d8b-bb73-4c0c43c60e9a.vbs"
5⤵
PID:1324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb642d0c-2002-4ee3-8fd1-f67ac21c997e.vbs"
3⤵
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\en-US\RCXFF0.tmp
Filesize
4.9MB

MD5
4da0fa1d316e3677dab4cb71b9006664

SHA1
cac130a6b11bf8e153f7be2dede3ed23998f3833

SHA256
aa928bf1d6ecbc4f184f8f7d85d740e47a427351cb7c0e63ac8567114ae216f9

SHA512
a2f45fe81c84490b9b373e54b19e3862137514430c1229ff27a984c66c09555be9e3aaea29bd382c0f2db87aebf6d44f916bfe6020fab703a22a6fc6506024b4

Download Submit
C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe
Filesize
4.9MB

MD5
3b6fd6541d4ddab0edbd51aa2f87e2b0

SHA1
a3e3dd0b42b506cab76d452088db7555dbdfa9fc

SHA256
ae9589d8290da8ddfbc081f3ecdb50857abcb22a7977d0c957f81b625a361781

SHA512
e9a5689f29ca646e76f5699a26a0ae5ed1b6a9e3a10260571f95ec15da1bb4bea1cf216035b4cbbe3a004884a233885d6cb779335de73b3f9521095994dd2b4a

Download Submit
C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\WmiPrvSE.exe
Filesize
4.9MB

MD5
161482f28fe02bf9d6d598623e119cc9

SHA1
ede1f8e92055797ad63397c2fd7424c1922e3352

SHA256
c2f5b69e9491edfa5a20a04c51fe057786193970cdd39932a102c34de2bd68a7

SHA512
22ca5482501a62ed65c1ed138410ee29925455b080893d58299d58ede665c57da8505f94aba5513ea8dc75f3a4351ed9f48219e80ddb00eb9e00912f80511494

Download Submit
C:\Users\Admin\AppData\Local\Temp\05bab65b-92e6-43e4-83da-3fdd4ab2d04d.vbs
Filesize
699B

MD5
6b5c6d402c762a5d920d857f8ca06a29

SHA1
f93462938c913eff761d18cbcd7c1df5b67afa32

SHA256
f0c9797f79c38b061248084718164676de3dad3d7b6548a7b341e5e1924c4b86

SHA512
024c57a302e15941f444441d85b9a19d1dd08682fe78be8661efd237a7dea2a483257181b9d9497efb62a0c6bbd5fc55c9f9f6d223b6a947e3fd047da58015b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\282582a3-d3df-4529-86a4-b63a1d12e69a.vbs
Filesize
699B

MD5
017207a6697a2fb2afb198326d7334ea

SHA1
794a654890c8e98ef296939f86ef6562555695da

SHA256
7ba5ee7e842416d47e63390bfbfd9692348fda66f2091dba024a72a55faf61c6

SHA512
0f7e5c9f1434c68c4dac8f6e7fb44de5bd79176ace7425e0209557404d5ebcdf940f5b8dee17e64b2056d244fe3d1f3a5202788a7e6f8563c15d3ae9087ffadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b1d6d79-1336-4777-af8a-93f25812b22a.vbs
Filesize
699B

MD5
4c02b58cb787e45e22413f923fad25b2

SHA1
4f4b613473f075f8cc6891b37b141c98342d3bb4

SHA256
ba1ab0d744b5e1bc7f937d4a74882e63b94eec2dad1ac0f86bc9f1fc66b74e7c

SHA512
3f3dbc295ce693bdcfb23aaf934731e7e14e85578cef72f77d37092322a9e33a86afbf8319949ca907e0cc79b570856402f7a06864c6aae14932c990bc2f22db

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ebc0e66-06fd-419d-8066-3ffbfd26453b.vbs
Filesize
699B

MD5
c54668aa152e9c8a65c6f938765a1972

SHA1
82005ff83808345360ce1d5d020cf318103af52b

SHA256
54fee26aaf1e372264fae60eafcb13c0831f19c3ad5f0f4ad7a471f898c8fddb

SHA512
b01bfb43aef1ac64653619652444d077080674b223d4557324e5dc210c820e27f237db7426f3b9fcc0f827f0cd5462108b6be4fec1e356ace68c88a6b6693ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7607a6b2-1016-4ab1-a53f-3fffe681df07.vbs
Filesize
699B

MD5
bcf14e7a136f2ef0b452f3ab93e461b5

SHA1
6c3383bd3d137ad152ba9e8ab4cb5ca36e46849b

SHA256
786b931c6ee30942ffaf5b3d02ebe5169d82bed3a42b546828652f503f0d6ac3

SHA512
9d2bcd86180559995c1f1fe22ae52882047ef010f647a84d2405302475f0efa401ca0613468a42370d396788535a521ab1b6cce94d72cc6377d8912d1fd15257

Download Submit
C:\Users\Admin\AppData\Local\Temp\854c6dd5-969b-46da-b107-c51aa3bd36e7.vbs
Filesize
699B

MD5
fe9b666df3266e7bce76b1ae4d366775

SHA1
87bb331a22d3a0b41968da0a73292595748c14e7

SHA256
da94de94a8ba8716be4e55565b57038ba7d08acd17e70ebb025dec25fe9bebf1

SHA512
e35b7a63f81488da08279210484a25050e09a7a8f98476a95f12f93a8273c0ef19476ff90382367bb04aa6b67ce85c690cb721ec4b0bfba22f5afd6c10d2898d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8929ea2d-2e02-4fd7-94e6-62369a4e3010.vbs
Filesize
699B

MD5
c0b463a289fe4b106abb2cba9346662e

SHA1
56ab8c7b48dda5013cd266c89fec492b77675204

SHA256
7e37f0eb25c2b8d3f3a4b3d2d5227b8f121a7eea87106d23800bc1a608fb4dad

SHA512
be3970cde4f2e6f1b342d329593ce24bf972a77a53c11cb6ba3f9a88a017829ef6c751bfbd7724f860f001c1499e49735eefe236b323979bdf7598aa4dd618a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9322b511-65bf-4673-88e5-da190e5b7d97.vbs
Filesize
699B

MD5
c5961e3a3b3c2a87c0792300a5c574f9

SHA1
6472e68d37fa985f202343d23949d0c07d912a4d

SHA256
23c882dfa10ae8ae24c9df126025b8b40ed681631435cd34b7220144ca2a1416

SHA512
9683241e218c2b79fa69d1e1a3ddfcf5eaee4855834f9cda49a22e80a07bc8a304542d1fc8ff648524970a9e70939236bc176cb5a5aa87778f90d9d6b208ab7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb642d0c-2002-4ee3-8fd1-f67ac21c997e.vbs
Filesize
475B

MD5
d074fd37d4ee14b905b1a91279ab81ed

SHA1
b14d2d448f407fc64d39eb4ca6a0b7faf3e3cc33

SHA256
bada857a52d72b19d1f4de996e8ad3aec45c0fbe0a5709154ac4b07ae4104fd1

SHA512
63d89e5e3886b5bd22e8bf7b91a6f046d09d15c01101a4cc024096dd8cf30dfb2dedbec50de7384b1f8fc86724925538dacb09fe0efb72a5ea1284a976edb99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf4736ee-5e0c-408e-8b3b-565d8deca95a.vbs
Filesize
699B

MD5
fd5bdd8376d0eaaffc18ba98f0af572d

SHA1
a89b847924d98dfe1b4ebc1646217793021efd7b

SHA256
8fb09afb7174632703de0a6d45e8248d002dacc2e43f48c4ae65ab4d8caa898f

SHA512
b23afb036802b3566cb5d5394b34c251ea68196c1dc044e038db5bd7078bb148671710f40d406b5e5e34ae0da65ab22c61449086b5850f75971fac17ad864428

Download Submit
C:\Users\Admin\AppData\Local\Temp\c884a8b5-e739-482b-84e6-1dce127de029.vbs
Filesize
699B

MD5
7c26b41a4a41b5cbb161854b629d1c4a

SHA1
6fd8297037045933fa8c4a28770ea494e7d393c0

SHA256
cc2ac9bd179cb141f48da6e403586e067f361425f9238157a05a7cdacb3738d2

SHA512
a65b47bda848c7a5b63ea1096d23f8ee155dbd0440f82a7bcf7389cd93b2e09e1e91b457ef293b15b5ed08ed86454621eee3f4804c44e14c5b5427bae5325a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9ad122c-4ef9-4b35-8155-9315ab08e794.vbs
Filesize
698B

MD5
a7ac85151a22cb6f97c586a8f1887471

SHA1
e41f40e5da8d6275c1ea1a5b1696d712b0f7c561

SHA256
ce9fb0a539ed09f3815270a2700b98dec5dc36acaebd7e7bc145c6e7b022de8c

SHA512
cce2efb96ee99cf6be81aac48fe144acc19db4cc0986e6f22a6d65ad3d37dff8556c3f5b88c25baf86ac46570623359ac144861415a5bf2753e7859ac0afed35

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0e623e6-bb31-4e9a-91a4-cbb0a5c86b4d.vbs
Filesize
699B

MD5
061daa79193ac92b7b1a349b8e658932

SHA1
d6d2ef7219fcc538f2530c1c39c90962ff04644c

SHA256
57b6e2c8b455d4653b728c078d7a3e22fbeffb8aeb4f062cee1bc69c7f7d286b

SHA512
0677b74036a8878b6467a375892952c7145ea7ee76531b47e83a3ff3a5ac0d1dc086505625a627eb9cd11d9f0e500e8ae4fecf1f24ab2f4063f03818fd26db08

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4b82b5b-dcd6-4857-b3ed-1106231dd29f.vbs
Filesize
699B

MD5
11099c7e51bab42c02981897894bba95

SHA1
e80b839f0b1708077ae63f3c4bbb31a1d999a76f

SHA256
73e5d36f1f715bf06c023e497b6eee4395276eb2c6d7c5abd60117450504ac3e

SHA512
e42418c5793463d2cb0b3e4fb81b63aa62362631915f59716f3a8bf349a0e138d6a8eb5c132c972a1b20f000d8b061628113969a8619702df4f1ee4c4f65d93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2185.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9fd29ca31d81027774400d3ddee0ab91

SHA1
87fda6b9abd1ed8a92bb54d2ba605d45ec3f1c7c

SHA256
21dbe75851d880e0494012fded4488912bfc6ab3364bc38c214879268f11cb64

SHA512
0e73414b0207c3793515612b6dde841c9a04ae30aeb3b81b688517fe8ad481238641b2748f0987d188cc88842b1cc44f026a8b91a3fa12e29189437aa835fb30

Download Submit
memory/824-223-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/1400-100-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1400-101-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1516-182-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/1516-181-0x0000000000260000-0x0000000000754000-memory.dmp

Filesize
5.0MB

Download
memory/1876-8-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/1876-4-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1876-11-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/1876-10-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/1876-146-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-1-0x0000000000DC0000-0x00000000012B4000-memory.dmp

Filesize
5.0MB

Download
memory/1876-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1876-2-0x000000001BA30000-0x000000001BB5E000-memory.dmp

Filesize
1.2MB

Download
memory/1876-12-0x00000000026D0000-0x00000000026DE000-memory.dmp

Filesize
56KB

Download
memory/1876-15-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/1876-14-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/1876-13-0x00000000026E0000-0x00000000026EE000-memory.dmp

Filesize
56KB

Download
memory/1876-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/1876-16-0x000000001AB90000-0x000000001AB9C000-memory.dmp

Filesize
48KB

Download
memory/1876-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

Filesize
4KB

Download
memory/1876-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/1876-3-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-5-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2108-267-0x00000000009B0000-0x0000000000EA4000-memory.dmp

Filesize
5.0MB

Download
memory/2124-312-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/2140-297-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2220-282-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/2296-166-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2664-152-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download
memory/2664-135-0x00000000012F0000-0x00000000017E4000-memory.dmp

Filesize
5.0MB

Download
memory/2788-252-0x00000000000F0000-0x00000000005E4000-memory.dmp

Filesize
5.0MB

Download
memory/2840-197-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2892-327-0x0000000000E80000-0x0000000001374000-memory.dmp

Filesize
5.0MB

Download