dcrat | b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09

Analysis

max time kernel
120s
max time network
115s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Size

4.9MB
MD5

604f0b5ecdccdf0e76198b6a7d13b110
SHA1

ec5d3e886db59e7167834ac6124c8daafe2aaa08
SHA256

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09
SHA512

a42477393297ed9c246cc3d6eae43777194ba3ea7617cde4015821124203d7159bbb370fadcf7f4d7f1633d5d97de5d11a8b6d5758982c85c2ffd4e3fc4ab1ec
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2392	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2392	schtasks.exe	29

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesmss.exesmss.exesmss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2412-3-0x000000001B3A0000-0x000000001B4CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2864	powershell.exe
2196	powershell.exe
2784	powershell.exe
2364	powershell.exe
2868	powershell.exe
2368	powershell.exe
1000	powershell.exe
1644	powershell.exe
2560	powershell.exe
2988	powershell.exe
2548	powershell.exe
2052	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	Process
1712	smss.exe
2624	smss.exe
1720	smss.exe
876	smss.exe
2412	smss.exe
3056	smss.exe
2364	smss.exe
264	smss.exe
2300	smss.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 24 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\69ddcba757bf72	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX9B18.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\5940a34987c991	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\56085415360792	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Windows Journal\en-US\OSPPSVC.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9D1C.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\RCXB970.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\27d1bcfc3c54e0	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RCXB2F8.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\wininit.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXB4FB.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\wininit.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Windows Journal\en-US\1610b97d3ab4a7	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\RCXA403.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\OSPPSVC.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2172	schtasks.exe
2884	schtasks.exe
2756	schtasks.exe
2572	schtasks.exe
2488	schtasks.exe
2988	schtasks.exe
2960	schtasks.exe
2624	schtasks.exe
2688	schtasks.exe
2044	schtasks.exe
1220	schtasks.exe
984	schtasks.exe
1412	schtasks.exe
2216	schtasks.exe
1252	schtasks.exe
2404	schtasks.exe
960	schtasks.exe
1796	schtasks.exe
2652	schtasks.exe
2964	schtasks.exe
3064	schtasks.exe
2484	schtasks.exe
2332	schtasks.exe
556	schtasks.exe
908	schtasks.exe
1048	schtasks.exe
2420	schtasks.exe
3012	schtasks.exe
264	schtasks.exe
1348	schtasks.exe
2820	schtasks.exe
2844	schtasks.exe
2704	schtasks.exe
1564	schtasks.exe
2456	schtasks.exe
2552	schtasks.exe
2732	schtasks.exe
1976	schtasks.exe
2792	schtasks.exe
2928	schtasks.exe
2136	schtasks.exe
1640	schtasks.exe
1500	schtasks.exe
1832	schtasks.exe
2248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	Process
2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2052	powershell.exe
2560	powershell.exe
2364	powershell.exe
2864	powershell.exe
2196	powershell.exe
2868	powershell.exe
1644	powershell.exe
1000	powershell.exe
2988	powershell.exe
2368	powershell.exe
2548	powershell.exe
2784	powershell.exe
1712	smss.exe
2624	smss.exe
1720	smss.exe
876	smss.exe
2412	smss.exe
3056	smss.exe
2364	smss.exe
264	smss.exe
2300	smss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1712	smss.exe
Token: SeDebugPrivilege	2624	smss.exe
Token: SeDebugPrivilege	1720	smss.exe
Token: SeDebugPrivilege	876	smss.exe
Token: SeDebugPrivilege	2412	smss.exe
Token: SeDebugPrivilege	3056	smss.exe
Token: SeDebugPrivilege	2364	smss.exe
Token: SeDebugPrivilege	264	smss.exe
Token: SeDebugPrivilege	2300	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.execmd.exesmss.exeWScript.exesmss.exeWScript.exesmss.exe

description	pid	Process	procid_target
PID 2412 wrote to memory of 2868	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	75
PID 2412 wrote to memory of 2868	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	75
PID 2412 wrote to memory of 2868	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	75
PID 2412 wrote to memory of 2052	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	76
PID 2412 wrote to memory of 2052	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	76
PID 2412 wrote to memory of 2052	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	76
PID 2412 wrote to memory of 1000	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	77
PID 2412 wrote to memory of 1000	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	77
PID 2412 wrote to memory of 1000	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	77
PID 2412 wrote to memory of 2368	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	78
PID 2412 wrote to memory of 2368	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	78
PID 2412 wrote to memory of 2368	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	78
PID 2412 wrote to memory of 2864	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	79
PID 2412 wrote to memory of 2864	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	79
PID 2412 wrote to memory of 2864	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	79
PID 2412 wrote to memory of 2196	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	81
PID 2412 wrote to memory of 2196	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	81
PID 2412 wrote to memory of 2196	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	81
PID 2412 wrote to memory of 2560	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	82
PID 2412 wrote to memory of 2560	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	82
PID 2412 wrote to memory of 2560	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	82
PID 2412 wrote to memory of 2364	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	83
PID 2412 wrote to memory of 2364	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	83
PID 2412 wrote to memory of 2364	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	83
PID 2412 wrote to memory of 1644	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	85
PID 2412 wrote to memory of 1644	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	85
PID 2412 wrote to memory of 1644	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	85
PID 2412 wrote to memory of 2784	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	88
PID 2412 wrote to memory of 2784	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	88
PID 2412 wrote to memory of 2784	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	88
PID 2412 wrote to memory of 2988	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	89
PID 2412 wrote to memory of 2988	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	89
PID 2412 wrote to memory of 2988	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	89
PID 2412 wrote to memory of 2548	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	90
PID 2412 wrote to memory of 2548	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	90
PID 2412 wrote to memory of 2548	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	90
PID 2412 wrote to memory of 852	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	99
PID 2412 wrote to memory of 852	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	99
PID 2412 wrote to memory of 852	2412	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	99
PID 852 wrote to memory of 1044	852	cmd.exe	101
PID 852 wrote to memory of 1044	852	cmd.exe	101
PID 852 wrote to memory of 1044	852	cmd.exe	101
PID 852 wrote to memory of 1712	852	cmd.exe	102
PID 852 wrote to memory of 1712	852	cmd.exe	102
PID 852 wrote to memory of 1712	852	cmd.exe	102
PID 1712 wrote to memory of 2824	1712	smss.exe	103
PID 1712 wrote to memory of 2824	1712	smss.exe	103
PID 1712 wrote to memory of 2824	1712	smss.exe	103
PID 1712 wrote to memory of 1724	1712	smss.exe	104
PID 1712 wrote to memory of 1724	1712	smss.exe	104
PID 1712 wrote to memory of 1724	1712	smss.exe	104
PID 2824 wrote to memory of 2624	2824	WScript.exe	105
PID 2824 wrote to memory of 2624	2824	WScript.exe	105
PID 2824 wrote to memory of 2624	2824	WScript.exe	105
PID 2624 wrote to memory of 2652	2624	smss.exe	106
PID 2624 wrote to memory of 2652	2624	smss.exe	106
PID 2624 wrote to memory of 2652	2624	smss.exe	106
PID 2624 wrote to memory of 3032	2624	smss.exe	107
PID 2624 wrote to memory of 3032	2624	smss.exe	107
PID 2624 wrote to memory of 3032	2624	smss.exe	107
PID 2652 wrote to memory of 1720	2652	WScript.exe	108
PID 2652 wrote to memory of 1720	2652	WScript.exe	108
PID 2652 wrote to memory of 1720	2652	WScript.exe	108
PID 1720 wrote to memory of 1228	1720	smss.exe	109

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exesmss.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
"C:\Users\Admin\AppData\Local\Temp\b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cIkD0YY0a7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
    "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d32f4b4-7f06-4b00-802a-160e968e3ba3.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a69ef08-ec75-4587-a61d-a6e5796b1476.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa4ea3f-9694-4db5-93a8-45066bc76448.vbs"
        8⤵
        
        PID:1228
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7caa3552-68e9-4396-95a6-92f601815bc2.vbs"
        10⤵
        
        PID:1776
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9028cd18-9272-44c1-b341-caaa57315498.vbs"
        12⤵
        
        PID:2272
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f9c3aeb-c006-46ba-9787-795d199a7217.vbs"
        14⤵
        
        PID:1900
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53f56b49-83df-45c7-9a0d-0ac56719d90d.vbs"
        16⤵
        
        PID:2056
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04cc8827-7dac-45d1-a233-f39102921516.vbs"
        18⤵
        
        PID:2940
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f38a618f-7c48-4d83-abbe-5210ffa6aaf4.vbs"
        20⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c0d4030-cad7-4ce8-9525-73c9387e49f8.vbs"
        20⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e04b8f50-3133-40dc-84f4-faeea7c76af1.vbs"
        18⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5bc2c18-49d9-4922-8a65-bba9be67dec8.vbs"
        16⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7ab194-e066-4e83-9660-3bf292c394fe.vbs"
        14⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\821cac83-d299-4bdd-97a7-1512e6ae71d0.vbs"
        12⤵
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da22345b-f236-4eb2-9b0b-ceb7aea1baf2.vbs"
        10⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda687fd-c4ad-4f27-afcf-f37fd77e1f69.vbs"
        8⤵
        
        PID:2856
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16fdade5-8369-46e2-899b-813080e54d75.vbs"
        6⤵
        
        PID:3032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ff13494-9095-4630-bdbc-9c1a0998f6d1.vbs"
      4⤵
      PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Local\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Local\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\gmp-clearkey\smss.exe

Filesize
4.9MB

MD5
604f0b5ecdccdf0e76198b6a7d13b110

SHA1
ec5d3e886db59e7167834ac6124c8daafe2aaa08

SHA256
b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09

SHA512
a42477393297ed9c246cc3d6eae43777194ba3ea7617cde4015821124203d7159bbb370fadcf7f4d7f1633d5d97de5d11a8b6d5758982c85c2ffd4e3fc4ab1ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\RCXA606.tmp

Filesize
4.9MB

MD5
1286f3bb314c2a52f19cf69600525626

SHA1
870d77ba1c0880bceaa91a5ea1d8f2ce89587a51

SHA256
d7360067d4aa4e705b2821eb1aa928a063f62341d506380728c53dff74ddd95c

SHA512
6c95f710cc1aa8826e11bd888895fc2c9365c47cae2931ea653cf19762927e2c5892d60f769f220f0a81438c9f937d7b077fe2dcd53d158a13da40aaae114c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\04cc8827-7dac-45d1-a233-f39102921516.vbs

Filesize
729B

MD5
18d188d214769f989b7e18596f4a2dd1

SHA1
2df6ef57a03f8aa80e9202b140053c81c58e9d74

SHA256
b4310868dc7f030d6988e56a6da98d6839a1c9c78628eb3da4728ee805afaf48

SHA512
3053383378e1ef5028de4d8ca9a34707d4f7edbb2fe67cf366275d749b8569f9089712b625057c9f11775ee632c3b528c7a02e5a8220b98fc0622b264da55e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a69ef08-ec75-4587-a61d-a6e5796b1476.vbs

Filesize
730B

MD5
b2c0b3e7b423e631bbad770d3863db2b

SHA1
d0ca468a4e3e5314390cc045b3f0f49c0a1932bc

SHA256
e6d615dac0238e79d66fc3865328ee559e5577399e96e1fc9909cd8260fff809

SHA512
2a3ddb19dcd56b6751f229101845dfebf11c6b1259dfa137d880980d4fed395c4d4dde6934ba42bec519beb1ae56f5043368fce1a94518d6247a4d4c6af65c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f9c3aeb-c006-46ba-9787-795d199a7217.vbs

Filesize
730B

MD5
47bae5fdc65bfd62173ac8cc884f80fb

SHA1
f0838d691daff0b3e1536e31d92e39b42ed7570c

SHA256
d60ef73045c863a489e9e3844e9bf889f7e72b4f9f395be89686b85ffca6870f

SHA512
639a88ba6ccfd401811b3aa267aa2fcaa35ae4b38e27abe6c34238f239f8f197834f35c96c1cd4116ba3b108bc8d16cef67de64d3ed0bdbf76cb44ba5f85b449

Download Submit
C:\Users\Admin\AppData\Local\Temp\53f56b49-83df-45c7-9a0d-0ac56719d90d.vbs

Filesize
730B

MD5
b229ab74e44446f8337429c24d39ae40

SHA1
f49d33148fc04518aca76ccc3930fa4ded381970

SHA256
7d3cc83cab99ad49a0f38a71ad66f79e740214e8e30a776a81ffaff98fd56931

SHA512
98b2bf116cee8c0c37f928d1cccfde052e7b1a9b0424e28c3805784e406c038cbdbae2cd2bf4116bce42758b8e8604b2865e7c9af9ec5f460302a70f4dad24c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ff13494-9095-4630-bdbc-9c1a0998f6d1.vbs

Filesize
506B

MD5
9d79a2e1a7e3d2e673fc5f5d9447f653

SHA1
25db5e405beff5cd29345eb70a363d0831b0ab1c

SHA256
b2960bc4632e7f13cf1e6eb3fdbb510359c55d95ca7e70f8bf75cc5b9c129cd9

SHA512
20a62ad5a234a935cb5efffd7adcced2a612c43f9f583cae6d76464f905a9e93e7f33319496099a11e47172ca495596fc19d4802c74bcb55bc508caee411c85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7caa3552-68e9-4396-95a6-92f601815bc2.vbs

Filesize
729B

MD5
3df9290fa9d7be12a869c10c83cd4a74

SHA1
5d3fffbcec3f58ca23e6cfcef81f0d637051ff21

SHA256
22a2809c6628773dda5aa19c900242aa9996b8db5e4a26c97a85c7c5b5b676fa

SHA512
c3089f42642681062ed2f9fc794e6b9df1d5eb4b44ce59e27084d74d7d56e989b4d75a9f52bc189dd516bf16af042a736e9cef67057a65f87901e775ce8a373d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d32f4b4-7f06-4b00-802a-160e968e3ba3.vbs

Filesize
730B

MD5
a45430a0bbcc48c6542f1188997b75a3

SHA1
0fb95b0f5afb8a531e511ee82db217c8294f2078

SHA256
52b030de2e50d8b4195bc0c458b97917dbcd514bd9eea5ee71cee1060b005da3

SHA512
f5a217a3744a5a8a70c9a86571d93d4d099e3f8ed693ffd5e339622e0ee7c25f020c69c4cbb6adb8e8a4a0eeb5940369dea2462d48db2bb18339af71fffdbd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\9028cd18-9272-44c1-b341-caaa57315498.vbs

Filesize
730B

MD5
e4db4d7edcc429a7e8cb7b993dfe03d7

SHA1
2c6c6d0d40e45c9bc0a63adf1f5f05e7f5f05545

SHA256
e98a20a988b3ed3a1f49a10508fef01fc254d36d241cc99751a42b4add1e307c

SHA512
0d0e48846f0af34f1d0c79f4218662cbabe583e2f2aa3c6e9574a416b33bef5e5988a1fedbd52ea541af6b5486178f860e4a520832b6bac2765294a466b73a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkD0YY0a7.bat

Filesize
219B

MD5
c43fb6ee345bcf5fb12cc53fd31852ae

SHA1
5c784407dc7febc5ce6624971a52f5d1ac3a2821

SHA256
bed5d26133ff6c26882ae5b0bfd6fe031899d634624fd71895926962bb9d4a7f

SHA512
e39c25ab5e909990cdbf39284613bf7188e98739b9c9bc0db63cbe541db67c588b7dc1d734da0d76be8d59cb8b1755a322f77934646753d40dc53dc084fbc7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfa4ea3f-9694-4db5-93a8-45066bc76448.vbs

Filesize
730B

MD5
b4a56b2d16479371b5075ef596d1b68c

SHA1
4f9833b680da4c2087efe52e7148fccded861ca0

SHA256
4c563c7c16a734ab07c0efe5ffebf40a7bd3b567c6fc966d59ef776b015e2771

SHA512
066c7751c0894a7e9917218767c18e82647219f9101f8b6e392bb4305d3d6a08e8c47dc19e901477a8390ed6104d9d000d20e711d541bcf63111a47ca16a2985

Download Submit
C:\Users\Admin\AppData\Local\Temp\f38a618f-7c48-4d83-abbe-5210ffa6aaf4.vbs

Filesize
730B

MD5
a6b285cf725c8d9db905bd06e94ec936

SHA1
3909192fb3e35837528efb61e8e667c01fe7885e

SHA256
968ed2900ea197288c47678679fb08877bb2504cf2a83b2e548836c45830229d

SHA512
1b9521c5e4d39a73c2602dfec738b15d4f31beb8fb75d9e2124016a9a7f9ddb57d9ded71c8ceb546bce608947daad35d954299ef4c71eb1f6732321856c37a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f3351be3c3ba557bc754399b3f31efbb

SHA1
9b111dd522cc619be65e5babefc3fae1bd06f1cc

SHA256
2a1f7edda0f98ad7acb51be7494438a5501dd717f4d9f748b2614b9f798c783b

SHA512
ea576969c128985459daf3d70de60e7b064a795308b0f0d1b2596543ef0e6f1d2d83096bf405fcf116839e7586678246cf23cd2a81b8766e7e279e22ef130414

Download Submit
memory/264-322-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/876-262-0x00000000000D0000-0x00000000005C4000-memory.dmp

Filesize
5.0MB

Download
memory/1712-219-0x00000000001B0000-0x00000000006A4000-memory.dmp

Filesize
5.0MB

Download
memory/2052-195-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2300-337-0x0000000001380000-0x0000000001874000-memory.dmp

Filesize
5.0MB

Download
memory/2364-307-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/2412-9-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2412-8-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2412-13-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/2412-159-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-1-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/2412-153-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-12-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2412-11-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2412-10-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2412-16-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2412-14-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2412-15-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2412-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2412-7-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2412-277-0x0000000001180000-0x0000000001674000-memory.dmp

Filesize
5.0MB

Download
memory/2412-6-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2412-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-5-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2412-139-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2412-4-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2412-3-0x000000001B3A0000-0x000000001B4CE000-memory.dmp

Filesize
1.2MB

Download
memory/2624-233-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/2988-194-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3056-292-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download