dcrat | 9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Size

4.9MB
MD5

e2241d87a05eba7625bd361348192770
SHA1

281b897777f56ef0d19d2d1ac01a8ccf192e6aaf
SHA256

9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01
SHA512

0d040357739485e57462e6ca307816f0e661f8329e31b533c750e027a5668376c1a2175630d22fd7f2db27ff8cf21377a8dfed55e59c986d762e804e2267536e
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1964	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1984-3-0x000000001B640000-0x000000001B76E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
992	powershell.exe
2776	powershell.exe
2968	powershell.exe
3048	powershell.exe
3068	powershell.exe
2664	powershell.exe
1200	powershell.exe
444	powershell.exe
2896	powershell.exe
476	powershell.exe
2828	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1744	dwm.exe
956	dwm.exe
580	dwm.exe
2348	dwm.exe
1584	dwm.exe
1532	dwm.exe
2256	dwm.exe
1508	dwm.exe
2972	dwm.exe
1368	dwm.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXA8BF.tmp	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Program Files\Windows Defender\OSPPSVC.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\6cb0b6c459d5d3	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\42af1c969fbb7b	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Program Files\Windows Defender\RCXC10C.tmp	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Program Files\Windows Defender\OSPPSVC.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Program Files\Windows Defender\1610b97d3ab4a7	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCXB890.tmp	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Vss\System.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Windows\Vss\27d1bcfc3c54e0	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File created	C:\Windows\schemas\TSWorkSpace\sppsvc.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Windows\Vss\RCXB41B.tmp	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
File opened for modification	C:\Windows\Vss\System.exe	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1500	schtasks.exe
2772	schtasks.exe
2916	schtasks.exe
2796	schtasks.exe
1956	schtasks.exe
1152	schtasks.exe
2552	schtasks.exe
1380	schtasks.exe
2636	schtasks.exe
2276	schtasks.exe
596	schtasks.exe
2884	schtasks.exe
316	schtasks.exe
416	schtasks.exe
2992	schtasks.exe
1924	schtasks.exe
588	schtasks.exe
2368	schtasks.exe
996	schtasks.exe
2624	schtasks.exe
2340	schtasks.exe
2684	schtasks.exe
2924	schtasks.exe
2336	schtasks.exe
2928	schtasks.exe
1160	schtasks.exe
2028	schtasks.exe
2828	schtasks.exe
2692	schtasks.exe
768	schtasks.exe
2592	schtasks.exe
3000	schtasks.exe
1868	schtasks.exe
1320	schtasks.exe
2332	schtasks.exe
1992	schtasks.exe
1748	schtasks.exe
2820	schtasks.exe
2256	schtasks.exe
2296	schtasks.exe
2848	schtasks.exe
1172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
2968	powershell.exe
444	powershell.exe
2828	powershell.exe
3068	powershell.exe
992	powershell.exe
476	powershell.exe
2896	powershell.exe
3048	powershell.exe
2956	powershell.exe
1200	powershell.exe
2776	powershell.exe
2664	powershell.exe
1744	dwm.exe
956	dwm.exe
580	dwm.exe
2348	dwm.exe
1584	dwm.exe
1532	dwm.exe
2256	dwm.exe
1508	dwm.exe
2972	dwm.exe
1368	dwm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1744	dwm.exe
Token: SeDebugPrivilege	956	dwm.exe
Token: SeDebugPrivilege	580	dwm.exe
Token: SeDebugPrivilege	2348	dwm.exe
Token: SeDebugPrivilege	1584	dwm.exe
Token: SeDebugPrivilege	1532	dwm.exe
Token: SeDebugPrivilege	2256	dwm.exe
Token: SeDebugPrivilege	1508	dwm.exe
Token: SeDebugPrivilege	2972	dwm.exe
Token: SeDebugPrivilege	1368	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3068	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	74
PID 1984 wrote to memory of 3068	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	74
PID 1984 wrote to memory of 3068	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	74
PID 1984 wrote to memory of 2664	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	75
PID 1984 wrote to memory of 2664	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	75
PID 1984 wrote to memory of 2664	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	75
PID 1984 wrote to memory of 444	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	76
PID 1984 wrote to memory of 444	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	76
PID 1984 wrote to memory of 444	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	76
PID 1984 wrote to memory of 2828	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	78
PID 1984 wrote to memory of 2828	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	78
PID 1984 wrote to memory of 2828	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	78
PID 1984 wrote to memory of 3048	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	79
PID 1984 wrote to memory of 3048	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	79
PID 1984 wrote to memory of 3048	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	79
PID 1984 wrote to memory of 2968	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	80
PID 1984 wrote to memory of 2968	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	80
PID 1984 wrote to memory of 2968	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	80
PID 1984 wrote to memory of 476	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	82
PID 1984 wrote to memory of 476	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	82
PID 1984 wrote to memory of 476	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	82
PID 1984 wrote to memory of 2776	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	83
PID 1984 wrote to memory of 2776	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	83
PID 1984 wrote to memory of 2776	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	83
PID 1984 wrote to memory of 1200	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	85
PID 1984 wrote to memory of 1200	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	85
PID 1984 wrote to memory of 1200	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	85
PID 1984 wrote to memory of 992	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	87
PID 1984 wrote to memory of 992	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	87
PID 1984 wrote to memory of 992	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	87
PID 1984 wrote to memory of 2896	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	88
PID 1984 wrote to memory of 2896	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	88
PID 1984 wrote to memory of 2896	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	88
PID 1984 wrote to memory of 2956	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	90
PID 1984 wrote to memory of 2956	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	90
PID 1984 wrote to memory of 2956	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	90
PID 1984 wrote to memory of 1744	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	99
PID 1984 wrote to memory of 1744	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	99
PID 1984 wrote to memory of 1744	1984	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe	99
PID 1744 wrote to memory of 2640	1744	dwm.exe	101
PID 1744 wrote to memory of 2640	1744	dwm.exe	101
PID 1744 wrote to memory of 2640	1744	dwm.exe	101
PID 1744 wrote to memory of 2688	1744	dwm.exe	102
PID 1744 wrote to memory of 2688	1744	dwm.exe	102
PID 1744 wrote to memory of 2688	1744	dwm.exe	102
PID 2640 wrote to memory of 956	2640	WScript.exe	103
PID 2640 wrote to memory of 956	2640	WScript.exe	103
PID 2640 wrote to memory of 956	2640	WScript.exe	103
PID 956 wrote to memory of 2684	956	dwm.exe	104
PID 956 wrote to memory of 2684	956	dwm.exe	104
PID 956 wrote to memory of 2684	956	dwm.exe	104
PID 956 wrote to memory of 2936	956	dwm.exe	105
PID 956 wrote to memory of 2936	956	dwm.exe	105
PID 956 wrote to memory of 2936	956	dwm.exe	105
PID 2684 wrote to memory of 580	2684	WScript.exe	106
PID 2684 wrote to memory of 580	2684	WScript.exe	106
PID 2684 wrote to memory of 580	2684	WScript.exe	106
PID 580 wrote to memory of 1440	580	dwm.exe	107
PID 580 wrote to memory of 1440	580	dwm.exe	107
PID 580 wrote to memory of 1440	580	dwm.exe	107
PID 580 wrote to memory of 2052	580	dwm.exe	108
PID 580 wrote to memory of 2052	580	dwm.exe	108
PID 580 wrote to memory of 2052	580	dwm.exe	108
PID 1440 wrote to memory of 2348	1440	WScript.exe	109

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe
"C:\Users\Admin\AppData\Local\Temp\9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1744
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79010d4f-5b74-4feb-be68-a9e5e54bf737.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
      "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:956
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e2154b-c18b-4350-b6cf-21497afdf2c6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2923ba6a-04e8-4080-99d0-49349881788c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89f3deab-6f88-4a85-8c1f-bfb9ff784a17.vbs"
        9⤵
        
        PID:2920
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c31e2acf-1b5f-4654-a556-b96727746438.vbs"
        11⤵
        
        PID:2592
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c508e9a-cfd1-447a-b216-a9c008b69fb0.vbs"
        13⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97032e7a-4644-4949-b36f-779bc4ee6e11.vbs"
        15⤵
        
        PID:1072
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\994d2ab0-cc0c-4d37-b32d-e2fcd74702d8.vbs"
        17⤵
        
        PID:1536
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb60c8bd-3272-4a73-9ed4-ed69fa678df2.vbs"
        19⤵
        
        PID:2648
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c0391d3-34b2-4fc8-92c2-6c4111b27728.vbs"
        21⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84bbaa3d-58d4-4c50-917d-2b34dbb2b973.vbs"
        21⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab58c9d5-e9a9-4283-8d4f-12d92244c009.vbs"
        19⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c88313-16f2-4ca2-938b-ac08c68e9017.vbs"
        17⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6d41ce2-66fe-41bb-ba1d-e0d0c1dc0c1b.vbs"
        15⤵
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c25a0ef-7522-4d72-a3f4-f38837aa7e02.vbs"
        13⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3d508e-4799-4f85-bf4c-c46b6a9f6f31.vbs"
        11⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\007aaec8-a4ae-4e56-839a-3bf045fbc34f.vbs"
        9⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b07b277f-72d8-4ab1-84a1-34af892fd0e7.vbs"
        7⤵
        
        PID:2052
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f93f1f3-c6de-4b37-b885-10c08286f133.vbs"
        5⤵
        
        PID:2936
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a66e4eac-9eb4-4b4a-8a4b-c204c7430851.vbs"
    3⤵
    PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
4.9MB

MD5
b9e511985eee23b9e0d88492f675f774

SHA1
e9f1ce9ed0f5ff399099f12395a1283d8e6dd259

SHA256
4c39c76e93b20340e71df7b971de0b7bb0e77e4e04779a16f453323c36a74810

SHA512
463f49da91b1423f9896051781ff35fc73419c9bfd5a9a6af436a40dcd7524087859856bee6ebd03c7b9e07653a0bbb16fdbc9831065e278bdeffa1f4805fef9

Download Submit
C:\Program Files\Windows NT\Accessories\it-IT\RCXB890.tmp

Filesize
4.9MB

MD5
9479d7dea9727c981ef0a7b1fd854013

SHA1
adbbb467d8dba42db93df4741f17302b17fed4da

SHA256
fe51931d8e9dd2e757448a2c3f365c1e4900cd00a7fde6efd38c421f58135fc4

SHA512
9cfdf3deb477b4580826966e1812311495335e5bc8887b94ae2315c9a2e27c1eba64bc7813575d6f499b112f108d2c1d5ab8a414aba16320e48d5e78e9cace63

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe

Filesize
4.9MB

MD5
e2241d87a05eba7625bd361348192770

SHA1
281b897777f56ef0d19d2d1ac01a8ccf192e6aaf

SHA256
9a55fe0eab70afff8306d479da0f5420f11b00916bca6c51a73c1423a6df1b01

SHA512
0d040357739485e57462e6ca307816f0e661f8329e31b533c750e027a5668376c1a2175630d22fd7f2db27ff8cf21377a8dfed55e59c986d762e804e2267536e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2923ba6a-04e8-4080-99d0-49349881788c.vbs

Filesize
745B

MD5
471d8e880975668a696e238bf228b875

SHA1
ea5220cff3a8a636a4edb46cfe37d55f7ecf3a4d

SHA256
3cc292bd1b7d25cac0e9281fcf8e1b0b69ccae29becf32b0eb4d8c7ca793a57c

SHA512
04752163894f9f252072c0b14b580123eda2a76a5c7e8d6f9834c6927f2ce2150ce5d520ec58f5bf44d7996cb042179314ae4beb23eeed1a8c4ccf2bf6afbb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c0391d3-34b2-4fc8-92c2-6c4111b27728.vbs

Filesize
746B

MD5
dbadeb3bfb9f51918c058abb1c28ce87

SHA1
1b8967e921d729aaa1cf0cf58e7ae00ce1655f0c

SHA256
bd684ed6958596ae85226781f73cc8892ec75b3b3565a0c3a780ff0b0f22af04

SHA512
fb7fc4fbeceb7a8902adf8ade718b59ea540acf17335816793f727787c5229308763b5caf418aa0c69f8b0627edf0c6f9c46886bb62a220df6c61c3c8965a2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\79010d4f-5b74-4feb-be68-a9e5e54bf737.vbs

Filesize
746B

MD5
0e8428b9f3e1bfac181a56c5fe85b39e

SHA1
34fb1388afe493dfa95e353d39683a36a7ec0f44

SHA256
00e588b001506625e1d73e7f7c3fdb87deaf6c6276b152d7296c9e62e3ed24c4

SHA512
2a262a324df182faa6f533eab6482c664c4dc047d7416ac6ad268eef556117ce535ab01a73c4022a5537960d128fea178282ec5395743e980aaa2e85c9aab268

Download Submit
C:\Users\Admin\AppData\Local\Temp\89f3deab-6f88-4a85-8c1f-bfb9ff784a17.vbs

Filesize
746B

MD5
b42900ba303cbd6a601aaffe46111f07

SHA1
179493489d93fe6cf6d01032d895eb1488d3cd15

SHA256
8bd719bc9f734d3cdc42cf7bdd4f2688e8263cbf43168b1106988bdf462acaad

SHA512
7f103b576afba2b6008e8963391ef60a89579266841e4f9e25d2db4ffafe0d8fc98ffe3fce4a59f9cad48045066b68f9aae40c016bfe679ba78f2793465cbce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c508e9a-cfd1-447a-b216-a9c008b69fb0.vbs

Filesize
746B

MD5
52d3058c0683840be6a7020e601a30d4

SHA1
d7da9efc9c721803f81336dd0a2acc2d61c259ab

SHA256
a3d5720a6e8f08efbe2df9a9047c95360fccae4eee314e5f69fad0f94edf793b

SHA512
723e05afd41c12ebc3877a89717d4ebef80b5c0be1aa96cd243897e24bc704bb0dcfcf07a4f75ed47176dcdcec3be3d49e36b65c07b8bc7e1cced4f56fd074c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\97032e7a-4644-4949-b36f-779bc4ee6e11.vbs

Filesize
746B

MD5
bc2413f5d4c48dc822df0c9c61190dec

SHA1
f6d0de117ec339cd7c07d851a6330248a08e2899

SHA256
4e37cc46a17df975c6f8f1469896ae6be42cc031e4b3054d732f8c9b7bcc1bfe

SHA512
25655e2510a1f5692ba6aed4b6cd7e27d3b5e078c717070be27f937b15e033ccdd6e5c421b290464b6725fc4d0f9e8b8d474a260a20d633091a9c03f718efb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\994d2ab0-cc0c-4d37-b32d-e2fcd74702d8.vbs

Filesize
746B

MD5
19078c0bcd951d0e2c8781fe7fbbba03

SHA1
fb1452efb7c93cd758f7f9d7bb1fe499f3b9ea3b

SHA256
ad3f5f049c71de77931aee2f41e97b51009ca1444beb7b896c1ed3b179f24282

SHA512
1d9d3440679a7d27d84daf5c297e99d39ac43989b7becfeab33f30d878d258d394cdcc7dace8a913ca148f020884d3a3194f400220ee8bd063f092292ee8354f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a66e4eac-9eb4-4b4a-8a4b-c204c7430851.vbs

Filesize
522B

MD5
0578eba0b41c398d8fa8b8607e7cb1b6

SHA1
02abfdf17ea62ebb8021523760eb447154f4babc

SHA256
658d87e3bec559e7ebb000dd098159580b49de43809ece2776a784e572d9a335

SHA512
0e0b81fbd30ee4be3c2093a2d6682be959c7a3cbd276cb9f4855f1a955e12da2b2497c75ed36fc98102f575e8736fcb303d868f0cb25536dc7d6d0f32b1611a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e2154b-c18b-4350-b6cf-21497afdf2c6.vbs

Filesize
745B

MD5
5fb37b3d427de16cff153e1b62c91fc1

SHA1
a43fd85e34ea43675efa860cfed8181a1bba830f

SHA256
0f1de2b84bcdad2f0dc8a9f500c7f66afcf6f566831f0c92d1ef96157449490c

SHA512
aec0f4a93547ee6f5e9820d1140adef2c2300286360a9df17aba9719c1d533161c8387f65cef50671ebd66bbd774f2479258c20814a12cdd88bc6279749e83e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb60c8bd-3272-4a73-9ed4-ed69fa678df2.vbs

Filesize
746B

MD5
fe1445b5969130b31b26a6493674f4a0

SHA1
6dcac08cfaadff08a3358e7220ff8a0126257b46

SHA256
2ac0d991d5e1e1b2a9d2e749e9bea1a87a1ea689c10b03764c2306a67b128b0a

SHA512
fce081ce7a083a35a782dddc4e151049d6fe44d6e4ab702d2c5b74898d1f9473b487a07a96bb9bfabfd38a0da045348368f007690bd981cf35553dd5e8b9b6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\c31e2acf-1b5f-4654-a556-b96727746438.vbs

Filesize
746B

MD5
782e7f21af4a9eb69e9db41383197ada

SHA1
4db4820ca7ed80289ee77f2055c0803ca84f4c42

SHA256
f43219f3de3ca5bf6f2a94b23e225dbfe39d2c0b9567cb1c257d437806042b28

SHA512
af37579949cb26da98ea73b6c0443b3ae5e5cc70e520662d0b2fb81657d5b8bbc13dc6e4e18179c728e5a9b0ac6bd85583c600ad06f89300e9c92880d5d112ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD76B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f9840d73d2ae95a3ecafd6cad0ad8a1

SHA1
01d87cdeae70cfd268ac630ca3b8b3250224ff10

SHA256
2c6e5c570541589eea4dd9ca4a61df9d5bbafdd532c5a6627489b816ae35188f

SHA512
6426ff357c7596874765199054d5227cfaedd206331f6619819044168c8dcc571444a6fa619ae9eacd48653229a0fd834ad456bdc5723785314dc6a986e69fc7

Download Submit
memory/956-224-0x00000000012C0000-0x00000000017B4000-memory.dmp

Filesize
5.0MB

Download
memory/992-169-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/1368-341-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/1508-311-0x00000000008A0000-0x00000000008B2000-memory.dmp

Filesize
72KB

Download
memory/1508-310-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/1744-209-0x0000000000930000-0x0000000000E24000-memory.dmp

Filesize
5.0MB

Download
memory/1984-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/1984-10-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/1984-1-0x0000000000CE0000-0x00000000011D4000-memory.dmp

Filesize
5.0MB

Download
memory/1984-135-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1984-210-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1984-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/1984-15-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1984-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1984-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/1984-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/1984-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1984-170-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1984-9-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/1984-7-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/1984-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1984-8-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/1984-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1984-5-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1984-4-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/1984-3-0x000000001B640000-0x000000001B76E000-memory.dmp

Filesize
1.2MB

Download
memory/2256-295-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download
memory/2968-168-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2972-326-0x0000000000170000-0x0000000000664000-memory.dmp

Filesize
5.0MB

Download