dcrat | 14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Size

4.9MB
MD5

446d69d1d68f0c0ee6c5f6b1fc5fca90
SHA1

63de6dc0d2b9adcb1dfb39f0209079bae1b2b0d7
SHA256

14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6
SHA512

5a83eb3bae4aadbf01fd0b6632ffb7f2521d26c00dd60f63b0d782d267ceaa3b545d902803f26d9a3033a854fe447bddba95e68494eca84ff99835ef88da5d8a
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1920	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2172-3-0x000000001B5B0000-0x000000001B6DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
2140	powershell.exe
1452	powershell.exe
2984	powershell.exe
3036	powershell.exe
2224	powershell.exe
2972	powershell.exe
2932	powershell.exe
2648	powershell.exe
2896	powershell.exe
2740	powershell.exe
2936	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
736	dllhost.exe
1524	dllhost.exe
1008	dllhost.exe
2304	dllhost.exe
1732	dllhost.exe
1356	dllhost.exe
2992	dllhost.exe
864	dllhost.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\explorer.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\explorer.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\7a0fd90576e088	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\886983d96e3d3e	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXDABF.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCXE0CB.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\RCXD6A8.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXD8AC.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\0a1fd5f707cd16	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\5940a34987c991	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Windows\TAPI\RCXCA14.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXCE2C.tmp	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Windows\Vss\Writers\Application\dllhost.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Windows\TAPI\wininit.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File opened for modification	C:\Windows\TAPI\wininit.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Windows\TAPI\56085415360792	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
File created	C:\Windows\Vss\Writers\Application\dllhost.exe	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2952	schtasks.exe
2608	schtasks.exe
412	schtasks.exe
2644	schtasks.exe
1524	schtasks.exe
1960	schtasks.exe
2080	schtasks.exe
1612	schtasks.exe
2032	schtasks.exe
2776	schtasks.exe
2980	schtasks.exe
2160	schtasks.exe
2648	schtasks.exe
2308	schtasks.exe
2820	schtasks.exe
948	schtasks.exe
2588	schtasks.exe
2472	schtasks.exe
1700	schtasks.exe
2084	schtasks.exe
2864	schtasks.exe
2204	schtasks.exe
2144	schtasks.exe
1844	schtasks.exe
1852	schtasks.exe
1356	schtasks.exe
1212	schtasks.exe
2492	schtasks.exe
2460	schtasks.exe
2224	schtasks.exe
2008	schtasks.exe
2616	schtasks.exe
1600	schtasks.exe
1220	schtasks.exe
1840	schtasks.exe
3064	schtasks.exe
2868	schtasks.exe
2712	schtasks.exe
1688	schtasks.exe
2180	schtasks.exe
1444	schtasks.exe
808	schtasks.exe
2752	schtasks.exe
2788	schtasks.exe
1560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
3036	powershell.exe
2896	powershell.exe
2140	powershell.exe
1452	powershell.exe
2648	powershell.exe
2972	powershell.exe
2932	powershell.exe
2740	powershell.exe
2224	powershell.exe
2640	powershell.exe
2984	powershell.exe
2936	powershell.exe
736	dllhost.exe
1524	dllhost.exe
1008	dllhost.exe
2304	dllhost.exe
1732	dllhost.exe
1356	dllhost.exe
2992	dllhost.exe
864	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	736	dllhost.exe
Token: SeDebugPrivilege	1524	dllhost.exe
Token: SeDebugPrivilege	1008	dllhost.exe
Token: SeDebugPrivilege	2304	dllhost.exe
Token: SeDebugPrivilege	1732	dllhost.exe
Token: SeDebugPrivilege	1356	dllhost.exe
Token: SeDebugPrivilege	2992	dllhost.exe
Token: SeDebugPrivilege	864	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3036	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	77
PID 2172 wrote to memory of 3036	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	77
PID 2172 wrote to memory of 3036	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	77
PID 2172 wrote to memory of 2224	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	78
PID 2172 wrote to memory of 2224	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	78
PID 2172 wrote to memory of 2224	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	78
PID 2172 wrote to memory of 2972	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	79
PID 2172 wrote to memory of 2972	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	79
PID 2172 wrote to memory of 2972	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	79
PID 2172 wrote to memory of 2932	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	80
PID 2172 wrote to memory of 2932	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	80
PID 2172 wrote to memory of 2932	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	80
PID 2172 wrote to memory of 2640	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	81
PID 2172 wrote to memory of 2640	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	81
PID 2172 wrote to memory of 2640	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	81
PID 2172 wrote to memory of 2648	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	82
PID 2172 wrote to memory of 2648	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	82
PID 2172 wrote to memory of 2648	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	82
PID 2172 wrote to memory of 2140	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	83
PID 2172 wrote to memory of 2140	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	83
PID 2172 wrote to memory of 2140	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	83
PID 2172 wrote to memory of 2896	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	84
PID 2172 wrote to memory of 2896	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	84
PID 2172 wrote to memory of 2896	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	84
PID 2172 wrote to memory of 2740	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	85
PID 2172 wrote to memory of 2740	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	85
PID 2172 wrote to memory of 2740	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	85
PID 2172 wrote to memory of 2936	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	86
PID 2172 wrote to memory of 2936	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	86
PID 2172 wrote to memory of 2936	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	86
PID 2172 wrote to memory of 1452	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	87
PID 2172 wrote to memory of 1452	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	87
PID 2172 wrote to memory of 1452	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	87
PID 2172 wrote to memory of 2984	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	88
PID 2172 wrote to memory of 2984	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	88
PID 2172 wrote to memory of 2984	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	88
PID 2172 wrote to memory of 2864	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	101
PID 2172 wrote to memory of 2864	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	101
PID 2172 wrote to memory of 2864	2172	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe	101
PID 2864 wrote to memory of 1612	2864	cmd.exe	103
PID 2864 wrote to memory of 1612	2864	cmd.exe	103
PID 2864 wrote to memory of 1612	2864	cmd.exe	103
PID 2864 wrote to memory of 736	2864	cmd.exe	104
PID 2864 wrote to memory of 736	2864	cmd.exe	104
PID 2864 wrote to memory of 736	2864	cmd.exe	104
PID 736 wrote to memory of 2976	736	dllhost.exe	105
PID 736 wrote to memory of 2976	736	dllhost.exe	105
PID 736 wrote to memory of 2976	736	dllhost.exe	105
PID 736 wrote to memory of 500	736	dllhost.exe	106
PID 736 wrote to memory of 500	736	dllhost.exe	106
PID 736 wrote to memory of 500	736	dllhost.exe	106
PID 2976 wrote to memory of 1524	2976	WScript.exe	107
PID 2976 wrote to memory of 1524	2976	WScript.exe	107
PID 2976 wrote to memory of 1524	2976	WScript.exe	107
PID 1524 wrote to memory of 544	1524	dllhost.exe	108
PID 1524 wrote to memory of 544	1524	dllhost.exe	108
PID 1524 wrote to memory of 544	1524	dllhost.exe	108
PID 1524 wrote to memory of 2956	1524	dllhost.exe	109
PID 1524 wrote to memory of 2956	1524	dllhost.exe	109
PID 1524 wrote to memory of 2956	1524	dllhost.exe	109
PID 544 wrote to memory of 1008	544	WScript.exe	110
PID 544 wrote to memory of 1008	544	WScript.exe	110
PID 544 wrote to memory of 1008	544	WScript.exe	110
PID 1008 wrote to memory of 2052	1008	dllhost.exe	111

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe
"C:\Users\Admin\AppData\Local\Temp\14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUCT1VMmXo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1612
- - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
    "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a616ae7-dcc5-4ca7-95ae-b530f136b4eb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1524
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99505abb-8142-444e-b998-dab3b8973b8a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab6c6f05-983c-47cf-9168-a4293701f711.vbs"
        8⤵
        
        PID:2052
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a860365-ed38-470b-bdba-e0f89a76994c.vbs"
        10⤵
        
        PID:2660
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57972960-0bc9-43c0-adbf-ebf00b02609b.vbs"
        12⤵
        
        PID:2728
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\619c2105-890a-4714-855f-a505c3d94b62.vbs"
        14⤵
        
        PID:2832
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb3a1aa-b92e-44bd-81ba-babac65170f1.vbs"
        16⤵
        
        PID:584
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac59d545-86c1-48de-88a6-c1d404ac50c0.vbs"
        18⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f684d2-928d-4bda-be42-4183e7148013.vbs"
        18⤵
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c6840ec-7446-4546-bd4e-a2c62f5193c9.vbs"
        16⤵
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\619bf024-9eb2-46fc-ad55-1b42db338988.vbs"
        14⤵
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eec06d0f-cb46-4288-bfde-55eac9e6bd49.vbs"
        12⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d70d733-799c-46b6-ae4f-f4f6a60a750c.vbs"
        10⤵
        
        PID:1308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef10c80d-fa50-4479-b90f-b69d9d81836b.vbs"
        8⤵
        
        PID:2788
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78779ebf-a660-452d-b48a-8d4c1717cab9.vbs"
        6⤵
        
        PID:2956
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fac08fcd-7a49-4d89-8c53-f94f8bded058.vbs"
      4⤵
      PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
4.9MB

MD5
446d69d1d68f0c0ee6c5f6b1fc5fca90

SHA1
63de6dc0d2b9adcb1dfb39f0209079bae1b2b0d7

SHA256
14f4b83a1fcb925d74e9956182b4a3d4270616642204f12c08a7b0dc0c0f54f6

SHA512
5a83eb3bae4aadbf01fd0b6632ffb7f2521d26c00dd60f63b0d782d267ceaa3b545d902803f26d9a3033a854fe447bddba95e68494eca84ff99835ef88da5d8a

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXD8AC.tmp

Filesize
4.9MB

MD5
954c0a21ee015342cc520d5416c4702c

SHA1
7cdda8c1f725f1498913e805848cb232d69eae64

SHA256
3f21363a39ca3556c8ba12b6d61d404e07f7ab039ee283d106609e1f08f31d88

SHA512
5d688ab53615f3c74d6eecb0f262acaeaa36a925883e1b3be53186270258235cbda9b8aa62dca1ca3d83192eb8f71287cda1fcab6fe288d95bcbd171ae9e0537

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fb3a1aa-b92e-44bd-81ba-babac65170f1.vbs

Filesize
751B

MD5
46318b09bf229fb01344d39604c32651

SHA1
7132c9cbc2c256d59a725811801c142985d04fdd

SHA256
2b49c0208e93336593dbade1126bcfdeaaa53c506a0c981d4e71272174c49ebd

SHA512
8ae62f133f0f413b7ea81638315de162e3f0e4a2e695df9782dfa8a55b1185085e92b3a4ef58444986dc6a9c505679b697a2fd9ef636d8200cb29fc686f00a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ff612f1997476939b499e2cce21527ca20299c4.exe

Filesize
3.6MB

MD5
0ab29650552938d47fb94878e0771879

SHA1
3ab5abc9eeb1195e0d841321cf602dfb6a2fc6f2

SHA256
47d8f50ef2bf0171798fa035c101cfb8ef6030430b2e97a4158c6491c50bed7f

SHA512
84e9f9b8a0599dcf52447171bb142d95057cf3fd23ac2e0b97ea2928227917e6fdab3ee0d2a080750f2d7d80b58f480dff21d1a6ddea0c5a38b256a9256aedda

Download Submit
C:\Users\Admin\AppData\Local\Temp\57972960-0bc9-43c0-adbf-ebf00b02609b.vbs

Filesize
751B

MD5
888cd2342beb7adcf588f2345e8628b1

SHA1
690da4e4478fa94c99a1efda7e9c0b3438a328ec

SHA256
3c96541651d6be634fb884cf47aaa75fa83f563dd2946a0f1f7222dac8bcca25

SHA512
307d717924a6629fd7f2cc9623d9c141f77e95817fa49f8260098e74f1c4282746e06b48bc34f7b63f1b3fca9a063aa27b6677a7bcba02e342447fa3bc19d939

Download Submit
C:\Users\Admin\AppData\Local\Temp\619c2105-890a-4714-855f-a505c3d94b62.vbs

Filesize
751B

MD5
28e988556107b042f827208140c7e871

SHA1
69e74354d3c78e9f1cc335b04e99b22e8ab8eae9

SHA256
7cfaa3c0dc73d8cc2f00951b6c35476b69b3986505b6f4b38b7275d4073aa74a

SHA512
d60405752884f4b3d7d6b5af6a75c3ab0477fe4e2e03cd132d2089f9bfcfec60b03d9422d100a8a4b69ab1a07299f478fdbe00870b653adfceb5dcb76e8d639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99505abb-8142-444e-b998-dab3b8973b8a.vbs

Filesize
751B

MD5
0d79b89847740ced28cc84f1009f4c46

SHA1
f57f9e5f68c107b9276cae64bb4ff7b147fa84da

SHA256
04775b92a673a47ff56d579c9115ed6d728012b9c8742c019e7ab29ad6eaccb3

SHA512
f3eec4ba06009e4b7b13a1a1b24974051c0415de9da3e83080fd23d02d84d848acd3c82922c62cab1d95e8a0d5fcc42b1d2fba47da87e6c498a676eece3e4b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a616ae7-dcc5-4ca7-95ae-b530f136b4eb.vbs

Filesize
750B

MD5
e8426b374a4d1157bd5073d1e33458c9

SHA1
8fade26140cb4c04e8dccb9633a672549370b7fd

SHA256
7e908393b290c941619d011ffc9011dbfe0b97f017a38d95f63da3f92090db47

SHA512
b38ef8acecb14e75a986da11602cb12fbdfb66f794f0e9bfb4cab593419b57d42e81e83cfe95f76933bdc480b5986830234c3e9a70f88267283e8038826c503e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a860365-ed38-470b-bdba-e0f89a76994c.vbs

Filesize
751B

MD5
83531e049eeb5c05adda2442819bad0a

SHA1
22161ad9e87ed8ec056d929a3093764f71aca4d2

SHA256
621767328430ad9642a0c58ba539f00961457c24d137c44d5f9f375de6d1fdce

SHA512
1a9eb9be20ecd9d5dc37c83450e88a7b10b19f2d0921c732a179117adf98e16319a36131ad3c84b1eaa2061ab15d09ee34b5ffa9fbdaad6174a60dff5699a4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab6c6f05-983c-47cf-9168-a4293701f711.vbs

Filesize
751B

MD5
39acf537f4fb3ccc6159aa80b041faa5

SHA1
b092e7bbc1966858802f2df7616764d81b98b1e4

SHA256
27f804705f31f7c93487bc35a4aee486d6eb1e46111a5bd6b6f64a76a67c373a

SHA512
f99415f8767e0eb7221d9226853a6c815553684f0eed1a4a798124d7516decdfa463e2dbd2c0d14f492798a06edba41f0a2cdd3c55f9631141d966a9768fb663

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac59d545-86c1-48de-88a6-c1d404ac50c0.vbs

Filesize
750B

MD5
7921920871857dc72464601bda675722

SHA1
d46db3fae0b418c82f49cce5ae7f17ac9ce50943

SHA256
e8406788a372c71cdd84d47a98ff7e280e00b9546df725d7b07012f0bd52560e

SHA512
26c2751dcb5e37d466379fe8543cc7c65dcbf47f19b2c8581c80dea6890425e7747021ba79b2b138a1878a190de25104598085a5e5b351dc88165b8b6d703ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fac08fcd-7a49-4d89-8c53-f94f8bded058.vbs

Filesize
527B

MD5
9e0606831adffa1bf36adb94b8a9f7c9

SHA1
f6a1b9bb433dd7cf0cf4db3653e3585a913733a7

SHA256
c7c2fd0e853632928de6e7bef2aab8e766abbcf7d11551945b5dfe7884516870

SHA512
322ed7ca95a114210d045680932b1dee65fe9652239ea53e74d66b09c556eaa0c8ba6842767b6171181c78ea3f20994ef30848133524e4d52896f26091a31ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUCT1VMmXo.bat

Filesize
240B

MD5
c005ec2939f19c772c844bff5f8c345f

SHA1
e1e4b90b5e9a2544585c01bb5571e74f0fcf3bcb

SHA256
5d48f88e2fa3f059abe7633ee63280f33cf7f8e42158f0dcefa6436c84e2be6e

SHA512
1dbe8179ce5442ef1eaccaeb28ca782777105cdff558c60c0e8a9c8703a0f292a0ac0d6d6f2b6467b04d6cb8f6f15e3dcb724f439b35c8aa0821d26ea5a0211b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
90cbbb8fc943f4cb129b14f2c3def357

SHA1
6bbbb70d6e8999b761df83222b915cd26da7a37e

SHA256
413a41c22a400679b71c03a0f2ff5fa6fe6c7f5396174061f64862cacd7f367e

SHA512
63370af9137347bfee9a8c412d834657fcabd97d93af383e3d6bb4e1733ae5bae0b91bd45f69f1557a38b99d397d293e344e678747f6ae2a1d814ea9eef691c9

Download Submit
memory/736-228-0x00000000001C0000-0x00000000006B4000-memory.dmp

Filesize
5.0MB

Download
memory/736-229-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/1008-260-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1008-259-0x00000000009C0000-0x0000000000EB4000-memory.dmp

Filesize
5.0MB

Download
memory/1524-244-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/1524-243-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/2172-10-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2172-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2172-1-0x0000000000C70000-0x0000000001164000-memory.dmp

Filesize
5.0MB

Download
memory/2172-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2172-162-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-149-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2172-16-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2172-9-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2172-141-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/2172-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/2172-8-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2172-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2172-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2172-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2172-3-0x000000001B5B0000-0x000000001B6DE000-memory.dmp

Filesize
1.2MB

Download
memory/2172-6-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2172-5-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2172-4-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2304-275-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/3036-193-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/3036-192-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download