dcrat | 412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Size

4.9MB
MD5

6d28b82da857e5f86596ed8e27efb260
SHA1

05fb88ba2cf61b8d55fea21d273fa2f2cb6afa9a
SHA256

412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36f
SHA512

2cb1a0bef640341cf2cbda78430b18fd8218fd4f19a0801afb2a64223551902753a99892625be76a6d4aed34bb192408921206663d64b916e0298d5fa5572fdf
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	872	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2080-2-0x000000001B270000-0x000000001B39E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe
2100	powershell.exe
2000	powershell.exe
564	powershell.exe
2508	powershell.exe
2064	powershell.exe
2488	powershell.exe
2456	powershell.exe
332	powershell.exe
2256	powershell.exe
2468	powershell.exe
2060	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1524	WmiPrvSE.exe
2388	WmiPrvSE.exe
2896	WmiPrvSE.exe
2996	WmiPrvSE.exe
1360	WmiPrvSE.exe
2112	WmiPrvSE.exe
2764	WmiPrvSE.exe
308	WmiPrvSE.exe
1616	WmiPrvSE.exe
3060	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\dwm.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\6cb0b6c459d5d3	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\sppsvc.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXD7CE.tmp	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Program Files\Microsoft Office\Office14\0a1fd5f707cd16	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCXD358.tmp	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXE52C.tmp	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\dwm.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Program Files\Microsoft Office\Office14\sppsvc.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\dllhost.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Windows\ShellNew\5940a34987c991	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Windows\Boot\Fonts\System.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Windows\Globalization\MCT\RCXD5CA.tmp	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Windows\Globalization\MCT\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Windows\ShellNew\dllhost.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Windows\Globalization\MCT\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File created	C:\Windows\Globalization\MCT\0476e39e1ac9e3	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
File opened for modification	C:\Windows\ShellNew\RCXE0B7.tmp	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1020	schtasks.exe
2992	schtasks.exe
2200	schtasks.exe
1936	schtasks.exe
548	schtasks.exe
3044	schtasks.exe
2340	schtasks.exe
2740	schtasks.exe
2688	schtasks.exe
2872	schtasks.exe
1944	schtasks.exe
2756	schtasks.exe
3068	schtasks.exe
1416	schtasks.exe
3004	schtasks.exe
2728	schtasks.exe
1724	schtasks.exe
1776	schtasks.exe
2708	schtasks.exe
2620	schtasks.exe
824	schtasks.exe
2372	schtasks.exe
2364	schtasks.exe
556	schtasks.exe
1932	schtasks.exe
2968	schtasks.exe
2164	schtasks.exe
2824	schtasks.exe
788	schtasks.exe
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
332	powershell.exe
2100	powershell.exe
2508	powershell.exe
2488	powershell.exe
2060	powershell.exe
2128	powershell.exe
2468	powershell.exe
2000	powershell.exe
2256	powershell.exe
564	powershell.exe
2064	powershell.exe
2456	powershell.exe
1524	WmiPrvSE.exe
2388	WmiPrvSE.exe
2896	WmiPrvSE.exe
2996	WmiPrvSE.exe
1360	WmiPrvSE.exe
2112	WmiPrvSE.exe
2764	WmiPrvSE.exe
308	WmiPrvSE.exe
1616	WmiPrvSE.exe
3060	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1524	WmiPrvSE.exe
Token: SeDebugPrivilege	2388	WmiPrvSE.exe
Token: SeDebugPrivilege	2896	WmiPrvSE.exe
Token: SeDebugPrivilege	2996	WmiPrvSE.exe
Token: SeDebugPrivilege	1360	WmiPrvSE.exe
Token: SeDebugPrivilege	2112	WmiPrvSE.exe
Token: SeDebugPrivilege	2764	WmiPrvSE.exe
Token: SeDebugPrivilege	308	WmiPrvSE.exe
Token: SeDebugPrivilege	1616	WmiPrvSE.exe
Token: SeDebugPrivilege	3060	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2488	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	62
PID 2080 wrote to memory of 2488	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	62
PID 2080 wrote to memory of 2488	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	62
PID 2080 wrote to memory of 2456	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	63
PID 2080 wrote to memory of 2456	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	63
PID 2080 wrote to memory of 2456	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	63
PID 2080 wrote to memory of 332	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	64
PID 2080 wrote to memory of 332	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	64
PID 2080 wrote to memory of 332	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	64
PID 2080 wrote to memory of 2128	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	65
PID 2080 wrote to memory of 2128	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	65
PID 2080 wrote to memory of 2128	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	65
PID 2080 wrote to memory of 2100	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	66
PID 2080 wrote to memory of 2100	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	66
PID 2080 wrote to memory of 2100	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	66
PID 2080 wrote to memory of 2000	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	67
PID 2080 wrote to memory of 2000	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	67
PID 2080 wrote to memory of 2000	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	67
PID 2080 wrote to memory of 2256	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	68
PID 2080 wrote to memory of 2256	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	68
PID 2080 wrote to memory of 2256	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	68
PID 2080 wrote to memory of 564	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	69
PID 2080 wrote to memory of 564	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	69
PID 2080 wrote to memory of 564	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	69
PID 2080 wrote to memory of 2508	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	70
PID 2080 wrote to memory of 2508	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	70
PID 2080 wrote to memory of 2508	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	70
PID 2080 wrote to memory of 2468	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	71
PID 2080 wrote to memory of 2468	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	71
PID 2080 wrote to memory of 2468	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	71
PID 2080 wrote to memory of 2060	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	72
PID 2080 wrote to memory of 2060	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	72
PID 2080 wrote to memory of 2060	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	72
PID 2080 wrote to memory of 2064	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	73
PID 2080 wrote to memory of 2064	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	73
PID 2080 wrote to memory of 2064	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	73
PID 2080 wrote to memory of 1524	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	86
PID 2080 wrote to memory of 1524	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	86
PID 2080 wrote to memory of 1524	2080	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe	86
PID 1524 wrote to memory of 1740	1524	WmiPrvSE.exe	87
PID 1524 wrote to memory of 1740	1524	WmiPrvSE.exe	87
PID 1524 wrote to memory of 1740	1524	WmiPrvSE.exe	87
PID 1524 wrote to memory of 892	1524	WmiPrvSE.exe	88
PID 1524 wrote to memory of 892	1524	WmiPrvSE.exe	88
PID 1524 wrote to memory of 892	1524	WmiPrvSE.exe	88
PID 1740 wrote to memory of 2388	1740	WScript.exe	89
PID 1740 wrote to memory of 2388	1740	WScript.exe	89
PID 1740 wrote to memory of 2388	1740	WScript.exe	89
PID 2388 wrote to memory of 112	2388	WmiPrvSE.exe	90
PID 2388 wrote to memory of 112	2388	WmiPrvSE.exe	90
PID 2388 wrote to memory of 112	2388	WmiPrvSE.exe	90
PID 2388 wrote to memory of 2604	2388	WmiPrvSE.exe	91
PID 2388 wrote to memory of 2604	2388	WmiPrvSE.exe	91
PID 2388 wrote to memory of 2604	2388	WmiPrvSE.exe	91
PID 112 wrote to memory of 2896	112	WScript.exe	92
PID 112 wrote to memory of 2896	112	WScript.exe	92
PID 112 wrote to memory of 2896	112	WScript.exe	92
PID 2896 wrote to memory of 2688	2896	WmiPrvSE.exe	93
PID 2896 wrote to memory of 2688	2896	WmiPrvSE.exe	93
PID 2896 wrote to memory of 2688	2896	WmiPrvSE.exe	93
PID 2896 wrote to memory of 2448	2896	WmiPrvSE.exe	94
PID 2896 wrote to memory of 2448	2896	WmiPrvSE.exe	94
PID 2896 wrote to memory of 2448	2896	WmiPrvSE.exe	94
PID 2688 wrote to memory of 2996	2688	WScript.exe	95

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe
"C:\Users\Admin\AppData\Local\Temp\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d21357-7e81-4993-9a8d-2a7b45c58c1e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
      "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2388
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0a19da-9a19-4a73-9945-e972c5f50e00.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0386532d-c16d-4842-811a-5b37174f27ad.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f375a8-6e4d-4ffd-b6f2-d1fe68693295.vbs"
        9⤵
        
        PID:2324
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cef30b3-8887-44f3-80b4-d51133a01e23.vbs"
        11⤵
        
        PID:2304
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91370972-3fec-4d0f-84f7-4c104d91cb2a.vbs"
        13⤵
        
        PID:824
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa81255-8026-43af-96ae-5fff707ff4f0.vbs"
        15⤵
        
        PID:2864
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bde83fe-da6c-47c4-b535-3ae68b5ca2bc.vbs"
        17⤵
        
        PID:2424
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb8d967-0a9d-4dea-a10c-5ecbe44ef962.vbs"
        19⤵
        
        PID:2124
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\081e5b78-50c4-4c1c-96ba-3e5cafb60e0d.vbs"
        21⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a661268d-0ecd-4ad8-ac12-dea7b4b65fd2.vbs"
        21⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68add2ff-5918-4429-93f2-ad6d8ab1a1c6.vbs"
        19⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f5749b9-34ad-405b-aa51-b92ab532206d.vbs"
        17⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2499cd8-2211-492d-a3e6-b92427a7bdb4.vbs"
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b9d855-599f-4498-9cdf-01147431ac1a.vbs"
        13⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826e2c33-1e44-48b6-ac70-78c4f391578b.vbs"
        11⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93021819-3565-4026-9016-575884e7ac12.vbs"
        9⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f5c587-4407-4e80-9801-947326c47412.vbs"
        7⤵
        
        PID:2448
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9310d774-2739-4c14-ab52-c5a719229b31.vbs"
        5⤵
        
        PID:2604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13052b53-e8aa-4fcd-9bf5-c886b7d85ef1.vbs"
    3⤵
    PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN4" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MCT\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN4" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe

Filesize
4.9MB

MD5
6d28b82da857e5f86596ed8e27efb260

SHA1
05fb88ba2cf61b8d55fea21d273fa2f2cb6afa9a

SHA256
412289c384f270c9ea81d7498dedcb4be1f202f9dd74a1c480374745e9c1e36f

SHA512
2cb1a0bef640341cf2cbda78430b18fd8218fd4f19a0801afb2a64223551902753a99892625be76a6d4aed34bb192408921206663d64b916e0298d5fa5572fdf

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe

Filesize
4.9MB

MD5
7342fc1a0b832871720d8d5ab450ce97

SHA1
25e10a60923a840277660752c816182339127c83

SHA256
db724b03659d5bf59e0adb6332e095dc2829c4a009a0fd072a00208ec2197a46

SHA512
2b8eeef0c41f22331f7adb7f61e10cbd0e333694899bd3c218391b95041de2299f29deefb991508d0caa7626568b50401363cf61953a28ae3a26e28b4831bbb7

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe

Filesize
4.9MB

MD5
7fae9d806b245d3ad5939de9528cac0a

SHA1
8718e5cbb356462f4486e6c3fbafdb93bb39a254

SHA256
e1bf642d5444756dfac4f8104dc065b128cfc7fc8cdc61e58a4ec4c20f878ac1

SHA512
ef2d3e39de0c12a2ac7f03af5214458a97bf910fce8537167cd84c05a9afe9a2415d60f0ec1d3a5ec727fd26ab1f2e668d8247edf8d03135e87450b5bba5231b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0386532d-c16d-4842-811a-5b37174f27ad.vbs

Filesize
751B

MD5
dcf9f514fce64825bd66395890f842d9

SHA1
37e33b4cece148404e12f882661bf395a52283d1

SHA256
f814c45d293605b243f302b24680f5fad97d3b6b6886d1449011e81935eda8dc

SHA512
c5f0cfb5c43251bcfa6f7ab0b820c7eb362e3b9b564dfd0976a099890c87bc7d8311cf8c59266e0178264d2e1b6514cba18af9fe7a94b7680fc15f34a81315e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\081e5b78-50c4-4c1c-96ba-3e5cafb60e0d.vbs

Filesize
751B

MD5
2aba293df2fbab030f151f2d9ef33ac4

SHA1
42214c0fc06e0c7e2b6a354ac2b0e9705ac1a597

SHA256
341d742c9814bb9b4231165973c0de1f958716cfb51b7e3179984036d21999b1

SHA512
4daf8c59524927329fd8f90d4cc4efaa97ecdd669627ac1ad2974b10e3f4f8b1091c1d6a3d7f4ff435da46f05ad1c5f6d0771ff77ec16421141ef7e36a37f9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\13052b53-e8aa-4fcd-9bf5-c886b7d85ef1.vbs

Filesize
527B

MD5
5d6b482e785c7360311ad70157623056

SHA1
0d5d1ee0c6d266261cf4d0af3716275db740398d

SHA256
aadf978f43f83b7f7341665029d15fb2ec793e95e9f9334bc9b05a82d478b62f

SHA512
64d2ed58b5d4fd4d2cac916ba9cb364e17f3c19b4a25ed3690256f46914499996c356617998d14b224ceebbc2b22818931df9fb96477d967fbedd3d6a2eaee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cef30b3-8887-44f3-80b4-d51133a01e23.vbs

Filesize
751B

MD5
70a2a1bd8257cdd42d5f00974231e042

SHA1
322dad085bc9d8a5c91eec249667a7f84c31d4c6

SHA256
10bb43fb75212fb3310ac1e98ccfe875000f4c4b867d3239fa76aa8253b1ce28

SHA512
42a492ee609bdf8ba6510d987d966e73264d8dd9c5b5248df97f70de6442b9ff09e1bb7b0dfc824302a535e632da50d592059200bf9d897f600efb600c4f7415

Download Submit
C:\Users\Admin\AppData\Local\Temp\68d21357-7e81-4993-9a8d-2a7b45c58c1e.vbs

Filesize
751B

MD5
408275db24a77349bf9f0b0e4c871195

SHA1
0b47836f195a8b4be39697b2734c2b9185dfefd0

SHA256
cb35547f7c44cabbce16f5d2cd811e619c315220de0126ca797ba90e8714b2d7

SHA512
ad5a5c0e1accfbafa6b1f12bb1d5d728e0ab51626e3584a9d54a79782c8e573e63bde7301e8df5dc8c99cd78f8d79d8320ae5ef719ee13999461de0f2e2cf035

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bde83fe-da6c-47c4-b535-3ae68b5ca2bc.vbs

Filesize
750B

MD5
bff0b87b3bfe7a08fbfe4237cea8cdce

SHA1
d191a741a94cdc1d42ae0273609ed2ae735d16eb

SHA256
13e79733e4287c9f73a499ba713d4efec1c195edb838abb83d164bd4cad55a06

SHA512
3b27b053f42f5d15a6db01321e947f0dc21fe353b97a9ced857178b293ac5dbebfd7e937bf593f0742d1c835e99c2aeda05f7ed9d097166468cb83a0e0e0c685

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eb8d967-0a9d-4dea-a10c-5ecbe44ef962.vbs

Filesize
751B

MD5
b54ed5de420600043ddbd40bc65b7e45

SHA1
59fa45217fadced71236a1792fbd0f066fe406d6

SHA256
d11eba2bad4f3b94b6e79b140c8e4ea473b24c3e1dda7fbd6f491e6bc8d06250

SHA512
a131d92963b3bef4083f4c18fc04580372b77e40272db0b15f6e6a84e89a544d8cfacad57c7d98a6c3784d6201bb03d0b34083161a0a8d4f5dd5ebeea93b7824

Download Submit
C:\Users\Admin\AppData\Local\Temp\91370972-3fec-4d0f-84f7-4c104d91cb2a.vbs

Filesize
751B

MD5
aa55055dd40f24de11584d0af1e22e41

SHA1
a7a5e86e9b5e9be3ca9afd31c7eec68a2a28fbf5

SHA256
fdb2767dea36b01e3415e1c23b7f22f89a690de46905d5107cacc0393e2d2aea

SHA512
ba74eb25359cc2d57c7b58d455455107f6fff1e9bc104964d6c0d030837bf0a2c00b46e503db28a86bf82f52c684d51346ac3a4b4628afb01b624ada6e93567d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3f375a8-6e4d-4ffd-b6f2-d1fe68693295.vbs

Filesize
751B

MD5
659a08349b86503d80f49f88127e37ad

SHA1
1717ea4cef133549b8e96c5bb12fe162192edc68

SHA256
206fb516d7b403705cc08ebe8fd8f70dcddde06c9ccf4dfec52deb9f6f31e699

SHA512
d4f5b7e566b7e7ca40991558857d241c3d6df500aa333015c7aac50dca16da3716f4ba638cc3ff1bff3ae394c6fa0fee6b9d2bf5ef7d44f74e9597fc093cc42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfa81255-8026-43af-96ae-5fff707ff4f0.vbs

Filesize
751B

MD5
83ad3a16d578f8b29b8cef17c348b6a8

SHA1
6add129af52691f273e7611f189c6340845f16c0

SHA256
71c5f94db8990035fc224270717d1158a3ec3dcc6ac00dfb9ad6d7fd46eaa201

SHA512
750fe3d728672d5e942e882ce1d93ab07d5dc9c5dd57aa24a8b9f7b375e226e3b8ec2e777261f9b345f137516cf1ae56eac86fcbd1a08e394a4f5aec65cb04b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc0a19da-9a19-4a73-9945-e972c5f50e00.vbs

Filesize
751B

MD5
d6a6807a965e197109c765f88c943c3f

SHA1
35a68d0003d5552bfe9a16404d0ade144b189a8d

SHA256
84e603cd7272cc7f731f474d3040ca20e68ca03c3a1477980f14b460db05c6e6

SHA512
7c99dbe8a47d6416a3f0fe2ab2e6508c089b218776ef8417b7dd5089bd6f33916b4fd5f066ff3c59da60808b327ca220e434de2dcac4f9784f98da4d8bc85e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF586.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
13f833e6818fd9373f2cfb90999b4bde

SHA1
78733c7a38252f6f43a4ef59278765b5097e1c48

SHA256
94db0022bfcf4ce0f6b88285f98b1cf4217e782639e5171adaa2471a09f6f19c

SHA512
7a3e8e63be10c2eb9a7edbc39c77873c158ce052ffea9acb78a7cf703b5efc221262fedc61d1ff806f9ee878f48072f5dd7492db17458b03acd278894b12aa45

Download Submit
memory/308-280-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/332-170-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1360-235-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/1524-114-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/1616-295-0x0000000001050000-0x0000000001544000-memory.dmp

Filesize
5.0MB

Download
memory/1616-296-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2080-8-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2080-5-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2080-111-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2080-10-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2080-9-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2080-16-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/2080-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2080-6-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2080-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2080-12-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/2080-13-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2080-4-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/2080-14-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2080-3-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-2-0x000000001B270000-0x000000001B39E000-memory.dmp

Filesize
1.2MB

Download
memory/2080-1-0x0000000000ED0000-0x00000000013C4000-memory.dmp

Filesize
5.0MB

Download
memory/2080-15-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/2100-159-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2112-250-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/2388-189-0x0000000000290000-0x0000000000784000-memory.dmp

Filesize
5.0MB

Download
memory/2764-265-0x0000000000F90000-0x0000000001484000-memory.dmp

Filesize
5.0MB

Download
memory/2896-204-0x0000000000A90000-0x0000000000F84000-memory.dmp

Filesize
5.0MB

Download
memory/2996-220-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2996-219-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download