dcrat | 14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Size

4.9MB
MD5

446d69d1d68f0c0ee6c5f6b1fc5fca90
SHA1

63de6dc0d2b9adcb1dfb39f0209079bae1b2b0d7
SHA256

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6
SHA512

5a83eb3bae4aadbf01fd0b6632ffb7f2521d26c00dd60f63b0d782d267ceaa3b545d902803f26d9a3033a854fe447bddba95e68494eca84ff99835ef88da5d8a
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2468	schtasks.exe	30

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exe14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2152-3-0x0000000000FB0000-0x00000000010DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1940	powershell.exe
2156	powershell.exe
1496	powershell.exe
3004	powershell.exe
2988	powershell.exe
992	powershell.exe
2396	powershell.exe
3016	powershell.exe
2620	powershell.exe
540	powershell.exe
1232	powershell.exe
1720	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
576	winlogon.exe
1900	winlogon.exe
548	winlogon.exe
1664	winlogon.exe
2028	winlogon.exe
2212	winlogon.exe
1080	winlogon.exe
1104	winlogon.exe
2020	winlogon.exe
940	winlogon.exe
2212	winlogon.exe
1544	winlogon.exe
1664	winlogon.exe
2096	winlogon.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 8 IoCs

Processes:

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6203df4a6bafc7	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXC89E.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXCD14.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\cc11b995f2a76d	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

Drops file in Windows directory 4 IoCs

Processes:

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

description	ioc	Process
File created	C:\Windows\de-DE\csrss.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Windows\de-DE\csrss.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Windows\de-DE\886983d96e3d3e	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Windows\de-DE\RCXC69A.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1396	schtasks.exe
2880	schtasks.exe
2000	schtasks.exe
2792	schtasks.exe
2752	schtasks.exe
2060	schtasks.exe
2028	schtasks.exe
2804	schtasks.exe
2636	schtasks.exe
748	schtasks.exe
2644	schtasks.exe
1736	schtasks.exe
2024	schtasks.exe
2712	schtasks.exe
2716	schtasks.exe
380	schtasks.exe
1312	schtasks.exe
2324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
2396	powershell.exe
1496	powershell.exe
1232	powershell.exe
1720	powershell.exe
2156	powershell.exe
2620	powershell.exe
2988	powershell.exe
540	powershell.exe
3004	powershell.exe
1940	powershell.exe
3016	powershell.exe
992	powershell.exe
576	winlogon.exe
1900	winlogon.exe
548	winlogon.exe
1664	winlogon.exe
2028	winlogon.exe
2212	winlogon.exe
1080	winlogon.exe
1104	winlogon.exe
2020	winlogon.exe
940	winlogon.exe
2212	winlogon.exe
1544	winlogon.exe
1664	winlogon.exe
2096	winlogon.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	576	winlogon.exe
Token: SeDebugPrivilege	1900	winlogon.exe
Token: SeDebugPrivilege	548	winlogon.exe
Token: SeDebugPrivilege	1664	winlogon.exe
Token: SeDebugPrivilege	2028	winlogon.exe
Token: SeDebugPrivilege	2212	winlogon.exe
Token: SeDebugPrivilege	1080	winlogon.exe
Token: SeDebugPrivilege	1104	winlogon.exe
Token: SeDebugPrivilege	2020	winlogon.exe
Token: SeDebugPrivilege	940	winlogon.exe
Token: SeDebugPrivilege	2212	winlogon.exe
Token: SeDebugPrivilege	1544	winlogon.exe
Token: SeDebugPrivilege	1664	winlogon.exe
Token: SeDebugPrivilege	2096	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.execmd.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exe

description	pid	Process	procid_target
PID 2152 wrote to memory of 2396	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	50
PID 2152 wrote to memory of 2396	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	50
PID 2152 wrote to memory of 2396	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	50
PID 2152 wrote to memory of 1720	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	51
PID 2152 wrote to memory of 1720	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	51
PID 2152 wrote to memory of 1720	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	51
PID 2152 wrote to memory of 1940	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	52
PID 2152 wrote to memory of 1940	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	52
PID 2152 wrote to memory of 1940	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	52
PID 2152 wrote to memory of 2156	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	53
PID 2152 wrote to memory of 2156	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	53
PID 2152 wrote to memory of 2156	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	53
PID 2152 wrote to memory of 3016	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	54
PID 2152 wrote to memory of 3016	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	54
PID 2152 wrote to memory of 3016	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	54
PID 2152 wrote to memory of 2620	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	55
PID 2152 wrote to memory of 2620	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	55
PID 2152 wrote to memory of 2620	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	55
PID 2152 wrote to memory of 1496	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	56
PID 2152 wrote to memory of 1496	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	56
PID 2152 wrote to memory of 1496	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	56
PID 2152 wrote to memory of 540	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	57
PID 2152 wrote to memory of 540	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	57
PID 2152 wrote to memory of 540	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	57
PID 2152 wrote to memory of 1232	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	58
PID 2152 wrote to memory of 1232	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	58
PID 2152 wrote to memory of 1232	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	58
PID 2152 wrote to memory of 3004	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	59
PID 2152 wrote to memory of 3004	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	59
PID 2152 wrote to memory of 3004	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	59
PID 2152 wrote to memory of 2988	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	60
PID 2152 wrote to memory of 2988	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	60
PID 2152 wrote to memory of 2988	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	60
PID 2152 wrote to memory of 992	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	61
PID 2152 wrote to memory of 992	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	61
PID 2152 wrote to memory of 992	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	61
PID 2152 wrote to memory of 1932	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	74
PID 2152 wrote to memory of 1932	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	74
PID 2152 wrote to memory of 1932	2152	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	74
PID 1932 wrote to memory of 2608	1932	cmd.exe	76
PID 1932 wrote to memory of 2608	1932	cmd.exe	76
PID 1932 wrote to memory of 2608	1932	cmd.exe	76
PID 1932 wrote to memory of 576	1932	cmd.exe	77
PID 1932 wrote to memory of 576	1932	cmd.exe	77
PID 1932 wrote to memory of 576	1932	cmd.exe	77
PID 576 wrote to memory of 2956	576	winlogon.exe	78
PID 576 wrote to memory of 2956	576	winlogon.exe	78
PID 576 wrote to memory of 2956	576	winlogon.exe	78
PID 576 wrote to memory of 2876	576	winlogon.exe	79
PID 576 wrote to memory of 2876	576	winlogon.exe	79
PID 576 wrote to memory of 2876	576	winlogon.exe	79
PID 2956 wrote to memory of 1900	2956	WScript.exe	80
PID 2956 wrote to memory of 1900	2956	WScript.exe	80
PID 2956 wrote to memory of 1900	2956	WScript.exe	80
PID 1900 wrote to memory of 2624	1900	winlogon.exe	81
PID 1900 wrote to memory of 2624	1900	winlogon.exe	81
PID 1900 wrote to memory of 2624	1900	winlogon.exe	81
PID 1900 wrote to memory of 2740	1900	winlogon.exe	82
PID 1900 wrote to memory of 2740	1900	winlogon.exe	82
PID 1900 wrote to memory of 2740	1900	winlogon.exe	82
PID 2624 wrote to memory of 548	2624	WScript.exe	83
PID 2624 wrote to memory of 548	2624	WScript.exe	83
PID 2624 wrote to memory of 548	2624	WScript.exe	83
PID 548 wrote to memory of 2804	548	winlogon.exe	84

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
"C:\Users\Admin\AppData\Local\Temp\14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbKBZUlOPJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2608
- - C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
    "C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:576
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\771e57d4-3a76-4a87-b732-590bec6f7d74.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1900
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae1922e8-7a11-4cd4-a648-2585fb440d14.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc8bff65-412c-466c-b737-91e6baba1206.vbs"
        8⤵
        
        PID:2804
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c35d7a87-22da-4b06-8541-61440a999beb.vbs"
        10⤵
        
        PID:2156
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad6edc9e-5841-4c8e-bb18-95787256318f.vbs"
        12⤵
        
        PID:320
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d909ade-2f8d-487b-b4be-578632ee8055.vbs"
        14⤵
        
        PID:1604
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea3c76ae-32dc-4c44-a931-c06183056d7c.vbs"
        16⤵
        
        PID:828
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\047311d3-cf10-435e-b009-fa333df10b85.vbs"
        18⤵
        
        PID:1668
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e45b49c-f2f3-4119-8cd1-de3cea381660.vbs"
        20⤵
        
        PID:1220
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\763c382c-998f-4aab-91d9-58571723248b.vbs"
        22⤵
        
        PID:2276
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f912d55-7055-40d9-8b8e-82cf6178def7.vbs"
        24⤵
        
        PID:2852
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1af8875-1b43-4344-8b18-ce9c6387cc82.vbs"
        26⤵
        
        PID:2808
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0a93b2f-d1a9-4206-9228-c0d7f30e94ce.vbs"
        28⤵
        
        PID:1568
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        
        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bcaf520-fb0a-4a90-99c5-c0fb7b7ce1b5.vbs"
        30⤵
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da09f40b-976d-43ae-8c01-a7e3a1f1026b.vbs"
        30⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b1e425-87c8-4f30-a914-3d828bf476d7.vbs"
        28⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e8dc77a-bda5-4c0a-90fd-f0749bb4c693.vbs"
        26⤵
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e9f100-e3b0-434d-959d-eb9ba88b9723.vbs"
        24⤵
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2dc02a-5eb6-400c-9e49-49f74db2d561.vbs"
        22⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2743aa1e-ae36-45a8-8602-641c9442e89c.vbs"
        20⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b102b969-5700-4256-b361-e6df188fea05.vbs"
        18⤵
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84632fc6-e888-4dd0-b724-c726cf3c118e.vbs"
        16⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e70982-c720-4451-9f53-9a366ea0bfad.vbs"
        14⤵
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f1e93f-243f-4a86-a772-5f79a1a0dcb5.vbs"
        12⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54f73f2f-6132-49b6-929c-c770d21676c5.vbs"
        10⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107b5e4c-de2e-4ac5-b349-08f28a56c13f.vbs"
        8⤵
        
        PID:3032
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f16d9c3f-f062-4e79-a16d-cea20b90105f.vbs"
        6⤵
        
        PID:2740
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1696c54a-817a-4e80-b237-ce90f515683e.vbs"
      4⤵
      PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\047311d3-cf10-435e-b009-fa333df10b85.vbs

Filesize
737B

MD5
d1091ee8079dc5bf8c52bc37294e58d1

SHA1
8c64d5c709b2c0ade0f5ee81540e63a54846856d

SHA256
66f7183707202a00d50300746b2162dbc07ae5c6db9024af5aa81dc5545daf5c

SHA512
c327eb9215fcfaa36c77237696da32ded9bdbe2480692b7d3645401cc38e2f5d60511e5cdff64f2fb573985094f4e39fc2a06901db0878371590c17e6eb0a96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e45b49c-f2f3-4119-8cd1-de3cea381660.vbs

Filesize
737B

MD5
70ac88b9e3f7dc348daaa1aab6ea2abc

SHA1
687138cc928d4dca2f11758d4002e18af9138cf4

SHA256
ad61728bee5ed2e0cdbc0ce5e98d312969fe9de20443941603938b18012ae32c

SHA512
2f168f4ac15b5925f8aeaf25024719f261f930bb4017d8f5846018afde5cc06a99ad73f510088c640f0d32b27dad0da9ed1342a72de274e73da21f05f1049925

Download Submit
C:\Users\Admin\AppData\Local\Temp\1696c54a-817a-4e80-b237-ce90f515683e.vbs

Filesize
513B

MD5
c4e52c0160882bca4de716f1bc16594c

SHA1
037a09c4486bb4dcdbc637e3a4f3b57500eca98e

SHA256
9e6333a7553b4a9f7946953dd05e691f28b7d827887652addb79080e9616f8c3

SHA512
8f54f8455eb06085cb3a66d1dcaf9dc7690a5701d55c2574dd369bd8fc939fcf9676069ffcf31f1990b5ec7158a9f43007b8f519fe9e15a71de1b1af466521a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d909ade-2f8d-487b-b4be-578632ee8055.vbs

Filesize
737B

MD5
36beddea9767d20e28cf88e5cad5564a

SHA1
3581366e11a0a16c500cb5388876dab63d5b8e03

SHA256
3478c32fd6f47d89a9989925a60785bd00dd961ef88aba2c580f5888c2b163fe

SHA512
0b00a17dc32c12b4a0b907c34fa155371733f4750e2864facf451fa22e185eabc0d547943dc2c4fa74e409301de115a2ebd9463f6249f1e6e5f960da312c5e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\763c382c-998f-4aab-91d9-58571723248b.vbs

Filesize
736B

MD5
876799edb714d98e96212276f87d1da6

SHA1
ecb02a86553ee18ca4d4a4da3977cab5b94c431b

SHA256
fd7d9ba7ae125e3ecb412f544e703c3fd9a464ddcd7a4b5d7f45d68ce3851627

SHA512
1d58f363c25a373cf723cab8090e13d03fb059af77d7a116bc177ef8bf4e8071887968cfb75645160902392af9648ff649e6298a9b97876eb999adbe735a14e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\771e57d4-3a76-4a87-b732-590bec6f7d74.vbs

Filesize
736B

MD5
c3fd85c8631927bbfae6091670e4a65f

SHA1
203133b50b7c9512ff32e14c5e0b29313c8ea0fb

SHA256
869f1b0ef40a063ac8b8e6c152bd6a902b8abeb36eb3d3226203717cfb66eef4

SHA512
13e4e03abf195a6b731e10636e5ebe98382ebbff58f85b086295dc4c217e0c8113bd61e99622cfcb33a72727d5da8788c5347dcf4a75ce0b3661e1c3b783f2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bcaf520-fb0a-4a90-99c5-c0fb7b7ce1b5.vbs

Filesize
737B

MD5
fb1993331c2ecdb77c3144d1ffa1512a

SHA1
ebb47b737a9bf6b563d049656c4495c8584bb114

SHA256
86d21752a782d8f3faea57675cce537387a727990ff59390739ab912c5657f28

SHA512
26aa8a746961e6908574564e538c4c4ca1341bdc78602aaf1769b0eac3c269a6cfe40c78cc08f4341d54373fecb83efc6ae8799068fb0de82305547db3f9e0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad6edc9e-5841-4c8e-bb18-95787256318f.vbs

Filesize
737B

MD5
df28fa10f2d20f4d829c945162e30a77

SHA1
81caceff014d30ccb623990876b1373bf18fb4c7

SHA256
e408028aedeb218cafe878d95627f2dd062c121c29ad4022d15e0e223713a8da

SHA512
2c96c17a0387af5b9e3db0812a828054ca49a2cff3753545bcf1a29a2ee59c96adcc5bc2b46824b810596ff3699408299b810d32224f5e252b7811e5c6ed7c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae1922e8-7a11-4cd4-a648-2585fb440d14.vbs

Filesize
737B

MD5
0b7e9170e50c595170f1b9422a4e7db0

SHA1
e1183c5380a5d92e3694034a0ddf4de822296d7d

SHA256
d9d787fa9dae03987e6133b7655bd51250aa17471876fa18c13c2f971ced1c05

SHA512
40a57e7ab5ed0c5e8b558326dbaf50d7b188d9f500341429f7e32093fadaa1b89765d161710af0b8f30d0df23e0010657f41cc116a6e15fe1e089e7eb551f2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c35d7a87-22da-4b06-8541-61440a999beb.vbs

Filesize
737B

MD5
8a567be09f8a4e9ef8206f7af09468a8

SHA1
92b067bc56576cca3f3d9bf2060e9755ddb3c040

SHA256
a1992fefecc6b705b9b749c77ba8cd2ea375ea192749663a629e34a08d3c03ce

SHA512
db6f858bf7aab7a44f3806407780f243e5b27876a91db9a1896493906bcd57d9627a952cb6edf7ce7a083b3097abdd2de5abb457a968663725d06aa8b4304705

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1af8875-1b43-4344-8b18-ce9c6387cc82.vbs

Filesize
737B

MD5
44a9d9c9db6dfd4f5de06d9f4e5d3f61

SHA1
1ac7f9bc9ab4690a9b7678e5587c330555852aee

SHA256
ec0b571f767265851359b1022850cfaa53a40a3cdb69b682aa1b5b55ce3e7812

SHA512
1e9232f57ddcf0caec88331360e0a467adafd23e29dbf6ebcbe6736bc8b66e974269ea269e14c4255b3b3548d931ce8438bf5e5c90c6729e65cf900f896ac153

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea3c76ae-32dc-4c44-a931-c06183056d7c.vbs

Filesize
737B

MD5
275e59d0d3ad71b7801460fa39cc3197

SHA1
def77c3551dac2ef28aca5e16ae9db0531161552

SHA256
4936705ef161fbfedd391608ebb653286c5a68154057fac107fb78c0529f167e

SHA512
5c54e89c9fca569c7aa2b0346be9b11e3f5cd5b06098e83380adb2bd74051861b88aa4810014884ecb99b3fcefa120c11c10f06f4b489fb67709937331cb8fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc8bff65-412c-466c-b737-91e6baba1206.vbs

Filesize
736B

MD5
1fcf825af1dab44ad74fb6136f4fd296

SHA1
0895a1df27b17d1c180fa21942a7cadd24675279

SHA256
1d7358f88198e23ecbc694b7d253f282379117b07218be3646705b02aef72c2d

SHA512
e243179aaebde078d677430c2965583adbc75874b57fc2c0792f2dad4375b25eecbaf18d8f3959e81b836ed25f1f545c9979cf83245ef7f2fc63ac456f3dbf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbKBZUlOPJ.bat

Filesize
226B

MD5
4cbdc0e6f77d417306b16d7c628e5bd0

SHA1
b5ad89407352dd0364a76ae9928591fc5759f21e

SHA256
8a0240d3ce6e9ab003e33c9a33f7b18ae979e64ad498536cd5d399e8b4b06bf7

SHA512
da513b9cf4294878077589c21b536f5c32c6adda4a902305b629d6379f3c41f0c7f9b8d9aee7b94259853973b903be6c48cfe0404f5f60287eb203ad702d463b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6BE.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
46a57e1154bc20fbb791536f1054832c

SHA1
e96db524c8e288321676735db5b74ac8d97e986e

SHA256
cc1752cb6dbc7e3200384235344a5346cd1043e2c584161478b3618ace08ba5f

SHA512
70ea2e7d720d1a95704cf7fe90eea498060e441ada904308a2883d7fb74e60370820d2cbba2470fb197b9bcc96788ffe445e0225e79fb63d78da6b53deeb4f02

Download Submit
C:\Users\Public\Videos\Sample Videos\System.exe

Filesize
4.9MB

MD5
446d69d1d68f0c0ee6c5f6b1fc5fca90

SHA1
63de6dc0d2b9adcb1dfb39f0209079bae1b2b0d7

SHA256
14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6

SHA512
5a83eb3bae4aadbf01fd0b6632ffb7f2521d26c00dd60f63b0d782d267ceaa3b545d902803f26d9a3033a854fe447bddba95e68494eca84ff99835ef88da5d8a

Download Submit
memory/548-173-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/576-142-0x0000000000800000-0x0000000000CF4000-memory.dmp

Filesize
5.0MB

Download
memory/576-143-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/940-280-0x00000000003B0000-0x00000000008A4000-memory.dmp

Filesize
5.0MB

Download
memory/1080-235-0x0000000000C30000-0x0000000001124000-memory.dmp

Filesize
5.0MB

Download
memory/1104-250-0x0000000000040000-0x0000000000534000-memory.dmp

Filesize
5.0MB

Download
memory/1664-188-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download
memory/1664-189-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/1664-324-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download
memory/1900-158-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1900-157-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2020-265-0x0000000000B80000-0x0000000001074000-memory.dmp

Filesize
5.0MB

Download
memory/2028-204-0x00000000001B0000-0x00000000006A4000-memory.dmp

Filesize
5.0MB

Download
memory/2152-13-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

Filesize
56KB

Download
memory/2152-11-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/2152-1-0x00000000010E0000-0x00000000015D4000-memory.dmp

Filesize
5.0MB

Download
memory/2152-79-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2152-15-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2152-14-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2152-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2152-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-3-0x0000000000FB0000-0x00000000010DE000-memory.dmp

Filesize
1.2MB

Download
memory/2152-12-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/2152-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2152-10-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2152-9-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/2152-8-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2152-7-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/2152-6-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2152-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2212-295-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/2212-220-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2212-219-0x0000000000840000-0x0000000000D34000-memory.dmp

Filesize
5.0MB

Download
memory/2396-93-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2396-92-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download