dcrat | d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Size

4.9MB
MD5

b21ada03a51a7236ecf51f3b094ba460
SHA1

94767c26a9cf793e3fe7f095b8d548d12317e04a
SHA256

d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1
SHA512

93c38e3210cbb72e1dae14cb5656b066b8e6a719a1b749c194bdab9b129aaace59557bf1e05e611c52695e85fba84608ad5613762f9f87e7860b433cf2177e4f
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2428	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exed76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2084-3-0x000000001B6D0000-0x000000001B7FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2664	powershell.exe
2524	powershell.exe
1632	powershell.exe
2344	powershell.exe
1512	powershell.exe
2332	powershell.exe
2024	powershell.exe
2844	powershell.exe
2556	powershell.exe
1604	powershell.exe
2108	powershell.exe
1508	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid process

564 lsass.exe
2180 lsass.exe
2136 lsass.exe
1732 lsass.exe
2084 lsass.exe
1544 lsass.exe
2156 lsass.exe
2668 lsass.exe
2360 lsass.exe
2052 lsass.exe

pid	process
564	lsass.exe
2180	lsass.exe
2136	lsass.exe
1732	lsass.exe
2084	lsass.exe
1544	lsass.exe
2156	lsass.exe
2668	lsass.exe
2360	lsass.exe
2052	lsass.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exed76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 20 IoCs

Processes:

d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\WMIADAP.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\explorer.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\dwm.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files\DVD Maker\RCXE97F.tmp	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\dwm.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\explorer.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\WMIADAP.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\7a0fd90576e088	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files\DVD Maker\lsm.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files\DVD Maker\101b941d020240	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\75a57c1bdf437c	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files\DVD Maker\lsm.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\6cb0b6c459d5d3	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXD808.tmp	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXDA1B.tmp	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\RCXE77B.tmp	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXEBF0.tmp	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe

Drops file in Windows directory 4 IoCs

Processes:

d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe

description	ioc	process
File created	C:\Windows\L2Schemas\lsass.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Windows\L2Schemas\RCXE306.tmp	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
File opened for modification	C:\Windows\L2Schemas\lsass.exe	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2940	schtasks.exe
1960	schtasks.exe
1656	schtasks.exe
3016	schtasks.exe
2808	schtasks.exe
2740	schtasks.exe
2484	schtasks.exe
2896	schtasks.exe
2708	schtasks.exe
2956	schtasks.exe
2716	schtasks.exe
1936	schtasks.exe
112	schtasks.exe
676	schtasks.exe
960	schtasks.exe
2684	schtasks.exe
2420	schtasks.exe
1852	schtasks.exe
2104	schtasks.exe
2780	schtasks.exe
2892	schtasks.exe
2872	schtasks.exe
928	schtasks.exe
2592	schtasks.exe
2644	schtasks.exe
2920	schtasks.exe
1812	schtasks.exe
1540	schtasks.exe
536	schtasks.exe
2908	schtasks.exe
1700	schtasks.exe
1840	schtasks.exe
2628	schtasks.exe
2132	schtasks.exe
1460	schtasks.exe
1864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
1508	powershell.exe
2332	powershell.exe
2524	powershell.exe
1512	powershell.exe
1604	powershell.exe
2844	powershell.exe
2556	powershell.exe
2024	powershell.exe
2664	powershell.exe
2344	powershell.exe
1632	powershell.exe
564	lsass.exe
2180	lsass.exe
2136	lsass.exe
1732	lsass.exe
2084	lsass.exe
1544	lsass.exe
2156	lsass.exe
2668	lsass.exe
2360	lsass.exe
2052	lsass.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	564	lsass.exe
Token: SeDebugPrivilege	2180	lsass.exe
Token: SeDebugPrivilege	2136	lsass.exe
Token: SeDebugPrivilege	1732	lsass.exe
Token: SeDebugPrivilege	2084	lsass.exe
Token: SeDebugPrivilege	1544	lsass.exe
Token: SeDebugPrivilege	2156	lsass.exe
Token: SeDebugPrivilege	2668	lsass.exe
Token: SeDebugPrivilege	2360	lsass.exe
Token: SeDebugPrivilege	2052	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exe

description	pid	process	target process
PID 2084 wrote to memory of 2108	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2108	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2108	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1508	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1508	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1508	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1512	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1512	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1512	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2524	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2524	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2524	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1604	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1604	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1604	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2332	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2332	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2332	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2556	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2556	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2556	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1632	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1632	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 1632	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2344	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2344	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2344	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2664	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2664	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2664	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2024	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2024	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2024	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2844	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2844	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 2844	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	powershell.exe
PID 2084 wrote to memory of 564	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	lsass.exe
PID 2084 wrote to memory of 564	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	lsass.exe
PID 2084 wrote to memory of 564	2084	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe	lsass.exe
PID 564 wrote to memory of 1400	564	lsass.exe	WScript.exe
PID 564 wrote to memory of 1400	564	lsass.exe	WScript.exe
PID 564 wrote to memory of 1400	564	lsass.exe	WScript.exe
PID 564 wrote to memory of 1248	564	lsass.exe	WScript.exe
PID 564 wrote to memory of 1248	564	lsass.exe	WScript.exe
PID 564 wrote to memory of 1248	564	lsass.exe	WScript.exe
PID 1400 wrote to memory of 2180	1400	WScript.exe	lsass.exe
PID 1400 wrote to memory of 2180	1400	WScript.exe	lsass.exe
PID 1400 wrote to memory of 2180	1400	WScript.exe	lsass.exe
PID 2180 wrote to memory of 1976	2180	lsass.exe	WScript.exe
PID 2180 wrote to memory of 1976	2180	lsass.exe	WScript.exe
PID 2180 wrote to memory of 1976	2180	lsass.exe	WScript.exe
PID 2180 wrote to memory of 2940	2180	lsass.exe	WScript.exe
PID 2180 wrote to memory of 2940	2180	lsass.exe	WScript.exe
PID 2180 wrote to memory of 2940	2180	lsass.exe	WScript.exe
PID 1976 wrote to memory of 2136	1976	WScript.exe	lsass.exe
PID 1976 wrote to memory of 2136	1976	WScript.exe	lsass.exe
PID 1976 wrote to memory of 2136	1976	WScript.exe	lsass.exe
PID 2136 wrote to memory of 2548	2136	lsass.exe	WScript.exe
PID 2136 wrote to memory of 2548	2136	lsass.exe	WScript.exe
PID 2136 wrote to memory of 2548	2136	lsass.exe	WScript.exe
PID 2136 wrote to memory of 2008	2136	lsass.exe	WScript.exe
PID 2136 wrote to memory of 2008	2136	lsass.exe	WScript.exe
PID 2136 wrote to memory of 2008	2136	lsass.exe	WScript.exe
PID 2548 wrote to memory of 1732	2548	WScript.exe	lsass.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exed76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe
"C:\Users\Admin\AppData\Local\Temp\d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cc1f7b8-df2d-4191-bb12-92cc580ce2bc.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81713399-8073-49a6-9527-fe1481e052ab.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194ebd74-5e5c-462b-9f4e-6c860a94a9af.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23602d42-1799-4c9e-b0d2-43ff9a73d4ad.vbs"
9⤵
PID:2344

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aa36348-d5ac-46bd-b7d0-1b884d8830aa.vbs"
11⤵
PID:2176

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d207133-5713-48ef-a055-2a93a74c7ba6.vbs"
13⤵
PID:2948

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\609c0cab-e428-404d-bc27-22e3f6a4a8f2.vbs"
15⤵
PID:2392

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2668

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\567647f7-1d02-4109-9f1b-6893a56e05de.vbs"
17⤵
PID:2736

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2360

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a23866-9fc6-4260-b2d1-38dfd9d4d443.vbs"
19⤵
PID:1880

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8f77689-2290-4f92-b314-f3cda46bc6c1.vbs"
21⤵
PID:1440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea477adf-7313-4371-b476-e07db086c60b.vbs"
21⤵
PID:2820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f03ae2fc-f964-458b-b0d8-9df4e5837775.vbs"
19⤵
PID:2368

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048a4798-25fb-4a23-b26d-6618310b84f0.vbs"
17⤵
PID:1492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee7f0569-5e25-4e77-b508-ca2df69709c2.vbs"
15⤵
PID:1272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cae2c1f8-8d07-4466-8a89-8af6de8479fe.vbs"
13⤵
PID:2696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2728d66-c456-4dd8-bda6-d884740147d8.vbs"
11⤵
PID:1840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f19db497-cd4a-40af-a975-6adf665126d9.vbs"
9⤵
PID:900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9adb1366-7d72-4d1e-b64b-94e47d33b2a7.vbs"
7⤵
PID:2008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c06a5994-7c44-4d07-9f21-6060551f405e.vbs"
5⤵
PID:2940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbededf9-f009-4bcf-859f-2024042db71f.vbs"
3⤵
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe
Filesize
4.9MB

MD5
b21ada03a51a7236ecf51f3b094ba460

SHA1
94767c26a9cf793e3fe7f095b8d548d12317e04a

SHA256
d76d0eede5de9005760ee65ef39708c43f9327d0ba9ebaefcd39906c951eb3d1

SHA512
93c38e3210cbb72e1dae14cb5656b066b8e6a719a1b749c194bdab9b129aaace59557bf1e05e611c52695e85fba84608ad5613762f9f87e7860b433cf2177e4f

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
Filesize
4.9MB

MD5
0ea74ba1b73ef6f20b4b5bf3517f69dd

SHA1
9d5177332ab733d01f1b51e88e8bc31a88baaf31

SHA256
b4d4b5823d19e60fe78d58707017cdc3a65fdcc7601dcf4caff692cb2c1d1519

SHA512
7fe38cd30d3bde3af2a26f7108033b40d4787488fdcf36f9e92f7ef3fc8a35dc404842858cad7faacfbae62c1cb3183fc4a28c47c841b32071184647a6863e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\194ebd74-5e5c-462b-9f4e-6c860a94a9af.vbs
Filesize
734B

MD5
32bb7ab6704114dc6637e85cf49c65c1

SHA1
ddac8b9bc6b57c3162bcd8dbb2a198fe628ccde7

SHA256
fe8ec7a3e3ec2a459668f5e2c9796b975983b667ceeb37f36f75e2db6ee9e38d

SHA512
842987fa8337d4f7efae7549b7ec095ba6e61c47f363526d0a74b61f289ff0a92d0ba047301e639238085dc481be0378ac00b2caf7015c59f8a06591821b9aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aa36348-d5ac-46bd-b7d0-1b884d8830aa.vbs
Filesize
734B

MD5
26b376f391b0c0682409e47c37b83dda

SHA1
84b6f5c896c4842090a0a76ee124f30652c0cbd6

SHA256
9362b1b6ff716d7b524af97f13ac2772df7f1a532b8aea08d22011c2fb50b1d1

SHA512
7b6cfc35c95bcae98abc4599001de6f6f045876737dba1efbf36bd0a920788e0413b86fc2be4e8c05f2d1026ebbc744461476c8544ca4740cd7c09bde0d348f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cc1f7b8-df2d-4191-bb12-92cc580ce2bc.vbs
Filesize
733B

MD5
781cc10ab4c14036f1d1f0a16bf6fe53

SHA1
673f0a5ea4e111bdc9c3a8724588a110f6bf260c

SHA256
03c758a7b0cf4ee2e9bd4d8f8d5448acad45a7b87f5713e13c173f503c4c69a7

SHA512
0880dc8cd00e09b8c636f218e9478a60b629fb1afb768330bd9ff965e8dd044ee976d6a2ad2010ed830067eb8cf0a2c89255c222e43efacf8d8b60d1d7be6cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\23602d42-1799-4c9e-b0d2-43ff9a73d4ad.vbs
Filesize
734B

MD5
c3b05b402b0fc53c36d2d169f85f6703

SHA1
83922458b0f1f7fef032a317789aa0ad6351c41a

SHA256
b13d16177fa5ba1b1fb79a7d8feded9a5a444b7fead653c5f86154c2e12b25f7

SHA512
6e4f6254573c2f6465d2394798022fc529c9bd437f31ed740cecd2afbb8d1e092bf632dcf56fd7eeb50e3776d6b55cfd41fd2179da8459929d68cbef2b4454fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d207133-5713-48ef-a055-2a93a74c7ba6.vbs
Filesize
734B

MD5
72ce26ba4415f0745c31103dc65dcbb5

SHA1
b77c19caee831ac870ebee8fd3bc61488a32f981

SHA256
0ca46b02a6bffc9f104d333fcf37e42996f88fc5bc76238feb664f4b59f7b9c5

SHA512
9a50afb57d9cfd1fc2fde000dcdbf32a802fa647941b53c92e72f55f62e01021798abc9ada75a7a3561725e6c49613957389a447b538fe7c8ae250a57bd358f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\51a23866-9fc6-4260-b2d1-38dfd9d4d443.vbs
Filesize
734B

MD5
5b1a9377fb6602955a8695396b220aa9

SHA1
aa565e6e449360622334b5ffc7430812b08e9fd5

SHA256
497a25f8ad3147fc76c7b4f25b0dd0f2b771fdf9a2f37f8f51a3d2f1e6bd3875

SHA512
35c519739a86b893c0a3f1a044fbf30f579574bc6701bcf39dacc27fb5553bfde6a8d695f7586819427c9a22f64d654806aec143b94035f6cdfba4157aabb665

Download Submit
C:\Users\Admin\AppData\Local\Temp\567647f7-1d02-4109-9f1b-6893a56e05de.vbs
Filesize
734B

MD5
2648b51741cc9dbbbef4de0bd97bafd5

SHA1
e80cdc04cde8b622f7f4a2985f0fafe546842430

SHA256
90f2b9357228dcae6a76f653689e6814bb00f47e1cd5281e1855b772129e5864

SHA512
0425a6eb34205f944605a901f76728601ee9843560adcb29037570258a2b5c6bdcdca1e5bbcf91e010d491624125af1e327e6e747971ae2cee1e3da5e5f267a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\609c0cab-e428-404d-bc27-22e3f6a4a8f2.vbs
Filesize
734B

MD5
f042c61b688860b23fa5fdd857c096ba

SHA1
4ae7cbbe2f0147e0edf5631f0a1d5ecefd5d981e

SHA256
94a4676f492304909d78eeeb70ea70e679989fc0a98af4142d5b75affd4511a9

SHA512
918074c166f2910866393b86aaa05f3556f1b8416bbde5797407ff3210b29498d838773beba2322cf704c1771514a1a0e81ac23128f94a17a827c30b75f0f4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\81713399-8073-49a6-9527-fe1481e052ab.vbs
Filesize
734B

MD5
51420114d8cf6b6dabbd1cbe6224d518

SHA1
6f6a6403e432c53cfe8352253fe8058994150d9f

SHA256
4f4d088caa3422fdceec941bb2d460ffa881220cf060a4086ea8aeae350b784c

SHA512
c128155e6cb8309c1fb71429a2b88107ab7a41e4d9bd5b77ebb2acc67187297200a38656cd17b9b8c82d63f4d7f12e0d3d1dd970153ec5f87e12bac300008139

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8f77689-2290-4f92-b314-f3cda46bc6c1.vbs
Filesize
734B

MD5
800389d0a21b81d34803556e4b1c7b53

SHA1
997eab6f87dc18d1e29c61e7dfd0e1f24c1f8cf8

SHA256
d04591a2e5d309e132a83340c8bd24eb8be218f1ea97c72971785666cb525a25

SHA512
de3a85bffb3c435a3cbae548b3ac34002d0d1362911be439441d3fa6cebb7f927f6967ce20f8aa3fa40003da867f48149a0ef6f14f061c0b88cd14329dfa7a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbededf9-f009-4bcf-859f-2024042db71f.vbs
Filesize
510B

MD5
a0c8d314a9d64491b6849b07df922b8a

SHA1
7ad92d49c73c0200420175f432490e68325ccf34

SHA256
97d4476e8ee5d88af51e205865ac8af5e87549f7089f64d86f10441bae27ff5c

SHA512
b250581bf6ecf465df5f4660d1175c77ecca15e8772f54a1cc84ff9ee68041c6e69a12a69d0073039842e20b2c9131f6610dc976429934a8fb651f58edae50ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32C.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWQVOREYP0N9P3ITO7PJ.temp
Filesize
7KB

MD5
efa6bd7d6c1d28746bf3e0b8a0d0b6f7

SHA1
b16b58e5e21496e16ac5b307a6a742b34791d012

SHA256
1b8309e3bad206910033c41a0ebc1cdcd613524e3dfb5f4e4cd237ae82956b7b

SHA512
b3fa8d458f839a68b316f6d1f4e05047d4f3821b0889c4b15c310ebaf285c80e5621e5b3b786e3b81ac676ad17e37bf2860257bbda9b4d2ffe67298c69a962d5

Download Submit
memory/564-184-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/564-191-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1508-133-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1508-138-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1544-265-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/1732-235-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/2052-325-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/2052-326-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2084-250-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/2084-11-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/2084-190-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-175-0x000007FEF6053000-0x000007FEF6054000-memory.dmp

Filesize
4KB

Download
memory/2084-16-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2084-15-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/2084-14-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2084-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2084-13-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/2084-2-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-12-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/2084-3-0x000000001B6D0000-0x000000001B7FE000-memory.dmp

Filesize
1.2MB

Download
memory/2084-10-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2084-0-0x000007FEF6053000-0x000007FEF6054000-memory.dmp

Filesize
4KB

Download
memory/2084-9-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2084-8-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2084-7-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2084-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2084-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2084-1-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/2108-189-0x000007FEEBEC0000-0x000007FEEC85D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-220-0x00000000009B0000-0x0000000000EA4000-memory.dmp

Filesize
5.0MB

Download
memory/2156-280-0x0000000000A00000-0x0000000000EF4000-memory.dmp

Filesize
5.0MB

Download
memory/2180-205-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/2360-310-0x0000000000CE0000-0x00000000011D4000-memory.dmp

Filesize
5.0MB

Download
memory/2668-295-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download