dcrat | 486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28

Analysis

max time kernel
118s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Size

4.9MB
MD5

674e323ec8e3abd5ffcb9ebbaec24d40
SHA1

2d6725a34476c325783b680e6d994ac62b659409
SHA256

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28
SHA512

452f7149cc2b016bd0b230e0aabb6bcfabb474e3a0da9a906b8a458e42992f2ce30bf4d9c4cd5dbdd0c5fc24d77565b4ae29603faf6fbd71d220dc79017c1a0b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2484	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2340-3-0x000000001B500000-0x000000001B62E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe
2944	powershell.exe
3016	powershell.exe
1984	powershell.exe
1060	powershell.exe
2716	powershell.exe
1116	powershell.exe
2596	powershell.exe
1932	powershell.exe
1716	powershell.exe
3036	powershell.exe
1408	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1628	System.exe
1376	System.exe
2556	System.exe
1112	System.exe
3052	System.exe
1324	System.exe
2944	System.exe
944	System.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\24dbde2999530e	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\24dbde2999530e	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\56085415360792	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX9B40.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\3975f5fc62b512	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX8A08.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX9D44.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX9F48.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\spoolsv.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8CB7.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX993C.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\de-DE\dwm.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXA14C.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Windows\Downloaded Program Files\System.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Windows\AppPatch\de-DE\dwm.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Windows\AppPatch\de-DE\6cb0b6c459d5d3	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Windows\Downloaded Program Files\System.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Windows\Downloaded Program Files\27d1bcfc3c54e0	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Windows\AppPatch\de-DE\RCX92C4.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
732	schtasks.exe
2888	schtasks.exe
1896	schtasks.exe
1012	schtasks.exe
1928	schtasks.exe
2628	schtasks.exe
2620	schtasks.exe
2156	schtasks.exe
676	schtasks.exe
2908	schtasks.exe
2864	schtasks.exe
448	schtasks.exe
2704	schtasks.exe
880	schtasks.exe
2416	schtasks.exe
1760	schtasks.exe
2796	schtasks.exe
2816	schtasks.exe
3008	schtasks.exe
1668	schtasks.exe
2072	schtasks.exe
1784	schtasks.exe
2832	schtasks.exe
1240	schtasks.exe
1748	schtasks.exe
1744	schtasks.exe
1484	schtasks.exe
316	schtasks.exe
300	schtasks.exe
1140	schtasks.exe
644	schtasks.exe
356	schtasks.exe
484	schtasks.exe
564	schtasks.exe
2052	schtasks.exe
2720	schtasks.exe
2840	schtasks.exe
2752	schtasks.exe
2088	schtasks.exe
1820	schtasks.exe
1844	schtasks.exe
320	schtasks.exe
2040	schtasks.exe
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
1408	powershell.exe
1716	powershell.exe
1116	powershell.exe
1060	powershell.exe
2944	powershell.exe
1984	powershell.exe
3016	powershell.exe
2596	powershell.exe
2716	powershell.exe
1932	powershell.exe
3036	powershell.exe
1700	powershell.exe
1628	System.exe
1376	System.exe
2556	System.exe
1112	System.exe
3052	System.exe
1324	System.exe
2944	System.exe
944	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1628	System.exe
Token: SeDebugPrivilege	1376	System.exe
Token: SeDebugPrivilege	2556	System.exe
Token: SeDebugPrivilege	1112	System.exe
Token: SeDebugPrivilege	3052	System.exe
Token: SeDebugPrivilege	1324	System.exe
Token: SeDebugPrivilege	2944	System.exe
Token: SeDebugPrivilege	944	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2716	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	76
PID 2340 wrote to memory of 2716	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	76
PID 2340 wrote to memory of 2716	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	76
PID 2340 wrote to memory of 1408	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	77
PID 2340 wrote to memory of 1408	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	77
PID 2340 wrote to memory of 1408	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	77
PID 2340 wrote to memory of 1700	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	78
PID 2340 wrote to memory of 1700	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	78
PID 2340 wrote to memory of 1700	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	78
PID 2340 wrote to memory of 1116	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	79
PID 2340 wrote to memory of 1116	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	79
PID 2340 wrote to memory of 1116	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	79
PID 2340 wrote to memory of 3036	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	80
PID 2340 wrote to memory of 3036	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	80
PID 2340 wrote to memory of 3036	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	80
PID 2340 wrote to memory of 2944	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	81
PID 2340 wrote to memory of 2944	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	81
PID 2340 wrote to memory of 2944	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	81
PID 2340 wrote to memory of 3016	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	82
PID 2340 wrote to memory of 3016	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	82
PID 2340 wrote to memory of 3016	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	82
PID 2340 wrote to memory of 1716	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	83
PID 2340 wrote to memory of 1716	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	83
PID 2340 wrote to memory of 1716	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	83
PID 2340 wrote to memory of 1984	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	84
PID 2340 wrote to memory of 1984	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	84
PID 2340 wrote to memory of 1984	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	84
PID 2340 wrote to memory of 2596	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	85
PID 2340 wrote to memory of 2596	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	85
PID 2340 wrote to memory of 2596	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	85
PID 2340 wrote to memory of 1932	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	86
PID 2340 wrote to memory of 1932	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	86
PID 2340 wrote to memory of 1932	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	86
PID 2340 wrote to memory of 1060	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	87
PID 2340 wrote to memory of 1060	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	87
PID 2340 wrote to memory of 1060	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	87
PID 2340 wrote to memory of 2204	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	100
PID 2340 wrote to memory of 2204	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	100
PID 2340 wrote to memory of 2204	2340	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	100
PID 2204 wrote to memory of 3048	2204	cmd.exe	102
PID 2204 wrote to memory of 3048	2204	cmd.exe	102
PID 2204 wrote to memory of 3048	2204	cmd.exe	102
PID 2204 wrote to memory of 1628	2204	cmd.exe	103
PID 2204 wrote to memory of 1628	2204	cmd.exe	103
PID 2204 wrote to memory of 1628	2204	cmd.exe	103
PID 1628 wrote to memory of 1796	1628	System.exe	105
PID 1628 wrote to memory of 1796	1628	System.exe	105
PID 1628 wrote to memory of 1796	1628	System.exe	105
PID 1628 wrote to memory of 2656	1628	System.exe	106
PID 1628 wrote to memory of 2656	1628	System.exe	106
PID 1628 wrote to memory of 2656	1628	System.exe	106
PID 1796 wrote to memory of 1376	1796	WScript.exe	107
PID 1796 wrote to memory of 1376	1796	WScript.exe	107
PID 1796 wrote to memory of 1376	1796	WScript.exe	107
PID 1376 wrote to memory of 1596	1376	System.exe	108
PID 1376 wrote to memory of 1596	1376	System.exe	108
PID 1376 wrote to memory of 1596	1376	System.exe	108
PID 1376 wrote to memory of 1724	1376	System.exe	109
PID 1376 wrote to memory of 1724	1376	System.exe	109
PID 1376 wrote to memory of 1724	1376	System.exe	109
PID 1596 wrote to memory of 2556	1596	WScript.exe	110
PID 1596 wrote to memory of 2556	1596	WScript.exe	110
PID 1596 wrote to memory of 2556	1596	WScript.exe	110
PID 2556 wrote to memory of 572	2556	System.exe	111

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
"C:\Users\Admin\AppData\Local\Temp\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4kC1bcDVg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3048
- - C:\Windows\Downloaded Program Files\System.exe
    "C:\Windows\Downloaded Program Files\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a77494ca-ed5d-48cd-a857-beb8381ff166.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4325627-096c-4128-8c64-639802c55a12.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a70f86d-11ac-497d-abe5-d164914c36c7.vbs"
        8⤵
        
        PID:572
        
        C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ca1c7d4-961f-425c-b4d3-028847fc069a.vbs"
        10⤵
        
        PID:3056
        
        C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b150161a-f2e8-486e-8b28-da576e6b0d73.vbs"
        12⤵
        
        PID:2196
        
        C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f3fc23-3092-45ab-9eb2-b22737b1109a.vbs"
        14⤵
        
        PID:732
        
        C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c11e0d-8c0a-49f6-8263-82dce6b28cd6.vbs"
        16⤵
        
        PID:1516
        
        C:\Windows\Downloaded Program Files\System.exe
        
        "C:\Windows\Downloaded Program Files\System.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c41576f-feb8-4c90-918a-9738416313bc.vbs"
        18⤵
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a77393b5-b439-446c-baea-ce2fa81640e7.vbs"
        18⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b6d574a-d794-4b50-a8f5-da4ecdf8979a.vbs"
        16⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27521a9c-3cf1-4c04-8a63-1317439d51fe.vbs"
        14⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f69128-292b-4585-b5bf-e5b610d83e47.vbs"
        12⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76220a7d-8de2-441f-9287-c24ee0a3b4a9.vbs"
        10⤵
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc305364-8349-45a4-9c8e-3c2a1d191907.vbs"
        8⤵
        
        PID:1828
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74439615-3e55-4231-9e0f-1162f871448a.vbs"
        6⤵
        
        PID:1724
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d71aba36-309c-48b6-951d-a88061929b5b.vbs"
      4⤵
      PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N4" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N4" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c41576f-feb8-4c90-918a-9738416313bc.vbs

Filesize
721B

MD5
9a373d800a89138bde67f147d680e828

SHA1
3e8c7dff309fba5ca7e982d0c475493fb6c02c9c

SHA256
683a27aeb5e8f072a63fc155698f0a7575b32a6e203bb2c6172cc5fcb41babe5

SHA512
345e1e2c4ac7d5fba2a7ab6469a326769d389ebfaed80886c2bbd967232651fe6411767370edbc9b4fb6aecd15d0083ec5ca44e12ca600eca048706194244f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a70f86d-11ac-497d-abe5-d164914c36c7.vbs

Filesize
722B

MD5
c6966daec5061a70cb8182155546f6c2

SHA1
88e852c47969b0905ea1dc874455d97d2be18107

SHA256
89859c574f24a0bde7ba914931b87cb32dc7179ef6a26dbcfd21e2c7608e9f29

SHA512
813b8ddb741dd878449bda850d895d3634f2d8f73df00c5f253256e955dccc3eced732af687df7b138830ce8fc96bd92b91a8f8da4eb120624388afdba139853

Download Submit
C:\Users\Admin\AppData\Local\Temp\33c11e0d-8c0a-49f6-8263-82dce6b28cd6.vbs

Filesize
722B

MD5
bdd25fb1c69ab9ea2b7d503b122064f0

SHA1
bb308e034dcbe39eff8a7d04efecde9777a931ea

SHA256
07416617838d0356c70378d7590aadd9c76f6bc542497e1bff953985a4ec67df

SHA512
6907d42b271d4e36a1f7716208158ff124cf960c0997f0ecb3a60fc62202f165c0a6034646940899df8353cb3d34dd1714a17dde598ca0f93707a85c06bdcdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ca1c7d4-961f-425c-b4d3-028847fc069a.vbs

Filesize
722B

MD5
7fa786b56cb53862a22cd595e8fdf26d

SHA1
9461497c61a5ba0fccfeeefc6c55993ddc85c0a2

SHA256
f8c4e3b24e29e41496ecd70a26952f52b4928847182270744b39bbaebe8e0904

SHA512
c4785657b0a7cabe22273b2f798311c72a3df69acd59bde4cacea2f217c029b0291cc8c9d55fed3905b8d5cb2d4e6339dedda9fe1e9b05db41a8bee282ea1ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a77494ca-ed5d-48cd-a857-beb8381ff166.vbs

Filesize
722B

MD5
b7d74934de308b6ea78073e9e33ba7da

SHA1
0bcc6cd13f2f8c5cae6dd6397c076e48aa35cd48

SHA256
12c497e2e7e0f1eeae656e263a1c6a276e8f55dcf954515b42996195025e8967

SHA512
056c901a07c847609588573b35f85e3c6fdc23cd9c1ebc811b7a4aaa5455bfb5cf2dbe841468bf791c847eb2178c51d33a41b20d3e8df18d6d4193c46638de3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b150161a-f2e8-486e-8b28-da576e6b0d73.vbs

Filesize
722B

MD5
5fcf37df74daabaa3c64664a575b22fd

SHA1
0ada8c9f2466ba7577aa2f8531ae2a94675d4ac0

SHA256
3109fec378a497f75b56768195fb1821805ea29a877e0355decb75ceb6f0b349

SHA512
ee2f5bbc4f886ed5827e67283745af5fe71421080cbf68015dba15e8fe0db7bb99c7c733227796599c09900ddd24539b54291a0c5eca32a320acd278ac98add9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4f3fc23-3092-45ab-9eb2-b22737b1109a.vbs

Filesize
722B

MD5
b2736593ee6859e7489c4f725f393f80

SHA1
c7a3a2caea4f9a80ec131e35c02ef4dbf8e89762

SHA256
e4332c842f71c55245de54bafce28e749b7d22e15ed6c465d3bd537ff3c550ea

SHA512
6a2c324886dd20a54b0503ca892a99e217c7791f34aebe6583368b40edbea126bff065e8bf62e69081531e76ee063489527dab0a21f4a4499cf114adf8eafe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d71aba36-309c-48b6-951d-a88061929b5b.vbs

Filesize
498B

MD5
ed8b9f76129afbb6980960c78aba7763

SHA1
8bdd8ffe0c01a097e6de3bd52de86859620f2334

SHA256
1461019f57efa94dd843c3326bff510b7c676025f5da533f1584af836338f995

SHA512
2546b08e4de1f3438bae282131eb3d5146c985470dcb8031bc192f4b9d08003c8d6fe184a7de6029fc398f71d0bcee3a1c0ce13fc57dbe419b5a6de1ba8e52d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4325627-096c-4128-8c64-639802c55a12.vbs

Filesize
722B

MD5
9a8c2e45d93c1adb07ef536064359aa0

SHA1
e4c7b4ef07ca0b12465e017370b20721856f4a4e

SHA256
3450606be616de74a2e776fa5848c8006936c003032d215b92e40a181cd2817b

SHA512
f54454f0827fc05186c80aa92b18fca6d1831e77c7f8c332eedb5d21ec43ead6747a3f6cb24a233b7f486a2b56626daa29e7cc28ff89ef355106b477f3493ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4kC1bcDVg.bat

Filesize
211B

MD5
4d5a20b53e32cd28c22c4198383ad72e

SHA1
9aaf45a03b0ed3a4a90510606dca82e96c14ae05

SHA256
0a829d1b8b52a89937b86de8afdd125b854946886136747d0c526d85f08c6261

SHA512
3450c0dc0af347aaa1d3a4109ef03c3ba07165d3deefcd4afca86a022e445add165f67c6d2758167281e68eeae72d9383ed3987d2b1d3651122d50b6f7d6d38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b306dc152c88c5dade3bac422651be9f

SHA1
e3dad15616a58e8cd9a7ed2ef05dc8800508dfd2

SHA256
53d0cd9fd547237d41cda91ed8d840b49e9f961e7a47b89aa83f5db9d25ee7cb

SHA512
8e77a140e52845c3fcc176a90dd471c7791ad7206f50ed5f4fac89cd9435cce2a2e534f7635455a9bce412181e2fc8feb0325745b94f6d5a8e4ad2be2f6579d9

Download Submit
C:\Windows\AppPatch\de-DE\dwm.exe

Filesize
4.9MB

MD5
674e323ec8e3abd5ffcb9ebbaec24d40

SHA1
2d6725a34476c325783b680e6d994ac62b659409

SHA256
486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28

SHA512
452f7149cc2b016bd0b230e0aabb6bcfabb474e3a0da9a906b8a458e42992f2ce30bf4d9c4cd5dbdd0c5fc24d77565b4ae29603faf6fbd71d220dc79017c1a0b

Download Submit
C:\Windows\Downloaded Program Files\System.exe

Filesize
4.9MB

MD5
ae63902ed7b5e94c6ab5c9c8e37bc4a0

SHA1
0175ecfa77642538d63a7fe998992d4e6472c907

SHA256
70b80dc350a028667f903061b75b292784a08c5048ec84c9682f140ca2260ba8

SHA512
19dd85fe1030409f2f27ae05742bfbe52e7bb3019c2695a5c306e54ee1521c3f0c28515561c6a9a617e293b0de6e950522e5b621e1691788837cb68ccb397686

Download Submit
memory/1112-270-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/1408-185-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1408-186-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/1628-227-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1628-226-0x00000000012D0000-0x00000000017C4000-memory.dmp

Filesize
5.0MB

Download
memory/2340-9-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2340-11-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/2340-8-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2340-1-0x00000000012D0000-0x00000000017C4000-memory.dmp

Filesize
5.0MB

Download
memory/2340-7-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/2340-14-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2340-160-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-12-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2340-10-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2340-147-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2340-16-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2340-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2340-15-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2340-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2340-13-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/2340-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2340-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2340-3-0x000000001B500000-0x000000001B62E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-255-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/3052-285-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download