dcrat | 8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Size

4.9MB
MD5

87c0d521f3387245929438143a477b30
SHA1

d427908e35f8a94c83750d923b32c91583091981
SHA256

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93
SHA512

f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2720	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2328-3-0x000000001ADB0000-0x000000001AEDE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe
468	powershell.exe
2368	powershell.exe
1980	powershell.exe
1820	powershell.exe
1848	powershell.exe
1852	powershell.exe
2444	powershell.exe
1148	powershell.exe
2184	powershell.exe
2132	powershell.exe
1824	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2932	wininit.exe
1832	wininit.exe
2752	wininit.exe
2648	wininit.exe
2704	wininit.exe
3020	wininit.exe
1832	wininit.exe
2784	wininit.exe
2176	wininit.exe
2756	wininit.exe
1248	wininit.exe
2328	wininit.exe
2160	wininit.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\audiodg.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXCC97.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXD542.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\42af1c969fbb7b	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC821.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\audiodg.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2252	schtasks.exe
2664	schtasks.exe
2944	schtasks.exe
2764	schtasks.exe
2660	schtasks.exe
976	schtasks.exe
2144	schtasks.exe
1968	schtasks.exe
2684	schtasks.exe
836	schtasks.exe
2136	schtasks.exe
2872	schtasks.exe
1972	schtasks.exe
2152	schtasks.exe
2992	schtasks.exe
3000	schtasks.exe
2264	schtasks.exe
2688	schtasks.exe
1020	schtasks.exe
2776	schtasks.exe
2704	schtasks.exe
2980	schtasks.exe
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
1848	powershell.exe
1148	powershell.exe
1572	powershell.exe
468	powershell.exe
1824	powershell.exe
2184	powershell.exe
2368	powershell.exe
2132	powershell.exe
1820	powershell.exe
1852	powershell.exe
1980	powershell.exe
2444	powershell.exe
2932	wininit.exe
1832	wininit.exe
2752	wininit.exe
2648	wininit.exe
2704	wininit.exe
3020	wininit.exe
1832	wininit.exe
2784	wininit.exe
2176	wininit.exe
2756	wininit.exe
1248	wininit.exe
2328	wininit.exe
2160	wininit.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2932	wininit.exe
Token: SeDebugPrivilege	1832	wininit.exe
Token: SeDebugPrivilege	2752	wininit.exe
Token: SeDebugPrivilege	2648	wininit.exe
Token: SeDebugPrivilege	2704	wininit.exe
Token: SeDebugPrivilege	3020	wininit.exe
Token: SeDebugPrivilege	1832	wininit.exe
Token: SeDebugPrivilege	2784	wininit.exe
Token: SeDebugPrivilege	2176	wininit.exe
Token: SeDebugPrivilege	2756	wininit.exe
Token: SeDebugPrivilege	1248	wininit.exe
Token: SeDebugPrivilege	2328	wininit.exe
Token: SeDebugPrivilege	2160	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1148	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	56
PID 2328 wrote to memory of 1148	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	56
PID 2328 wrote to memory of 1148	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	56
PID 2328 wrote to memory of 1572	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	57
PID 2328 wrote to memory of 1572	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	57
PID 2328 wrote to memory of 1572	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	57
PID 2328 wrote to memory of 2184	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	58
PID 2328 wrote to memory of 2184	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	58
PID 2328 wrote to memory of 2184	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	58
PID 2328 wrote to memory of 2132	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	59
PID 2328 wrote to memory of 2132	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	59
PID 2328 wrote to memory of 2132	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	59
PID 2328 wrote to memory of 468	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	60
PID 2328 wrote to memory of 468	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	60
PID 2328 wrote to memory of 468	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	60
PID 2328 wrote to memory of 1824	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	61
PID 2328 wrote to memory of 1824	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	61
PID 2328 wrote to memory of 1824	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	61
PID 2328 wrote to memory of 2368	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	62
PID 2328 wrote to memory of 2368	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	62
PID 2328 wrote to memory of 2368	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	62
PID 2328 wrote to memory of 1820	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	63
PID 2328 wrote to memory of 1820	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	63
PID 2328 wrote to memory of 1820	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	63
PID 2328 wrote to memory of 1848	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	64
PID 2328 wrote to memory of 1848	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	64
PID 2328 wrote to memory of 1848	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	64
PID 2328 wrote to memory of 1980	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	65
PID 2328 wrote to memory of 1980	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	65
PID 2328 wrote to memory of 1980	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	65
PID 2328 wrote to memory of 1852	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	66
PID 2328 wrote to memory of 1852	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	66
PID 2328 wrote to memory of 1852	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	66
PID 2328 wrote to memory of 2444	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	75
PID 2328 wrote to memory of 2444	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	75
PID 2328 wrote to memory of 2444	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	75
PID 2328 wrote to memory of 1424	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	80
PID 2328 wrote to memory of 1424	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	80
PID 2328 wrote to memory of 1424	2328	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	80
PID 1424 wrote to memory of 2656	1424	cmd.exe	82
PID 1424 wrote to memory of 2656	1424	cmd.exe	82
PID 1424 wrote to memory of 2656	1424	cmd.exe	82
PID 1424 wrote to memory of 2932	1424	cmd.exe	83
PID 1424 wrote to memory of 2932	1424	cmd.exe	83
PID 1424 wrote to memory of 2932	1424	cmd.exe	83
PID 2932 wrote to memory of 2072	2932	wininit.exe	84
PID 2932 wrote to memory of 2072	2932	wininit.exe	84
PID 2932 wrote to memory of 2072	2932	wininit.exe	84
PID 2932 wrote to memory of 848	2932	wininit.exe	85
PID 2932 wrote to memory of 848	2932	wininit.exe	85
PID 2932 wrote to memory of 848	2932	wininit.exe	85
PID 2072 wrote to memory of 1832	2072	WScript.exe	86
PID 2072 wrote to memory of 1832	2072	WScript.exe	86
PID 2072 wrote to memory of 1832	2072	WScript.exe	86
PID 1832 wrote to memory of 2880	1832	wininit.exe	87
PID 1832 wrote to memory of 2880	1832	wininit.exe	87
PID 1832 wrote to memory of 2880	1832	wininit.exe	87
PID 1832 wrote to memory of 2800	1832	wininit.exe	88
PID 1832 wrote to memory of 2800	1832	wininit.exe	88
PID 1832 wrote to memory of 2800	1832	wininit.exe	88
PID 2880 wrote to memory of 2752	2880	WScript.exe	89
PID 2880 wrote to memory of 2752	2880	WScript.exe	89
PID 2880 wrote to memory of 2752	2880	WScript.exe	89
PID 2752 wrote to memory of 1856	2752	wininit.exe	90

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
"C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hpkupkyryY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2656
- - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
    "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2932
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c20937-b294-4123-b9f0-acbb03645f19.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b7eee19-2e52-48cf-b608-fbaa09d3c425.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3deedcd-8b61-43e3-8d11-ad1908a5e3af.vbs"
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbcf5e9b-8baa-49ca-9b5d-b3a5f4be984c.vbs"
        10⤵
        
        PID:860
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96595ecb-6d39-41b1-b5b1-128ac6c646f9.vbs"
        12⤵
        
        PID:2724
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ae06a53-eb52-4dc3-8894-30e344e2e855.vbs"
        14⤵
        
        PID:1628
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2667c43b-6f82-4171-98af-b9cf280462ff.vbs"
        16⤵
        
        PID:1092
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c229b51-3e8c-4e44-9983-eca5be7eeefb.vbs"
        18⤵
        
        PID:2948
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b16e595-09cf-45a1-9b03-04ce94a4c20a.vbs"
        20⤵
        
        PID:780
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\085d6ab0-bd20-4859-b26f-725f8c69ec83.vbs"
        22⤵
        
        PID:816
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4e6a4b2-a9f7-44e2-9eb6-c6ddb15e8e6b.vbs"
        24⤵
        
        PID:1576
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\446d4407-be94-42f8-9888-a36a1ba7eb0c.vbs"
        26⤵
        
        PID:908
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ebe9d01-bf2c-400a-9877-79f6b0096bac.vbs"
        28⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9109432a-3973-462f-98e7-4dfde33f484f.vbs"
        28⤵
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\166c1ab8-9478-48e0-aed0-b1bea7d3d384.vbs"
        26⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80cbae67-6748-4abe-900a-85b19f678710.vbs"
        24⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b092995-67a2-4617-a891-6ce438f42b47.vbs"
        22⤵
        
        PID:308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a56d8e8-661a-480a-a6ea-7b5965187328.vbs"
        20⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea594d42-ecc8-459d-ab87-75dc469a1219.vbs"
        18⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a93a9d-37de-43a5-a894-e823de22c586.vbs"
        16⤵
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb6c1b04-44bd-4034-b18f-898d45693cb9.vbs"
        14⤵
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681be728-cbbd-4254-be59-172a65736ce1.vbs"
        12⤵
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e06e1f3-dd39-485f-9b7d-5c5f86a03e3f.vbs"
        10⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd33de0-475e-4e53-9b93-4921d990b524.vbs"
        8⤵
        
        PID:2624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dfe9015-353f-4c12-948e-e904e3a78454.vbs"
        6⤵
        
        PID:2800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da14287-9bd5-41d2-bd38-25c1ca79b429.vbs"
      4⤵
      PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\WmiPrvSE.exe

Filesize
4.9MB

MD5
eb1f3e01f1667dad8081e7c32cec0db2

SHA1
fccbd067bcba03965d87ce10245bee1913f28e3a

SHA256
84ba5c916341564e49d19127db6289e0763133553befb84ea714ca26c31f2b2c

SHA512
669dc6050bacbbd1c7033f324a43c02b9f41e6fcfb3a27588480b789896830c33e4e81c65728b4d2f2c730f10366346d4dce59d0eb5c7b71d708816a7779a21e

Download Submit
C:\MSOCache\All Users\WmiPrvSE.exe

Filesize
4.9MB

MD5
87c0d521f3387245929438143a477b30

SHA1
d427908e35f8a94c83750d923b32c91583091981

SHA256
8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

SHA512
f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29

Download Submit
C:\Users\Admin\AppData\Local\Temp\085d6ab0-bd20-4859-b26f-725f8c69ec83.vbs

Filesize
761B

MD5
ef4c49fe2a94d6abcc6617e71a3e88f4

SHA1
0dd09bf78eb9d5ca7c032e1d17b4f7dfac9f2653

SHA256
b363e786e1f4daaeab92e503b8a269bbd1eda63303b389caa9717bbc776a127c

SHA512
60f7708d9d264a84cf1b1e39145c875ba7b05c87907a3ac5c40e02e6093cb480417e06d64fdb0dbea0c2f0e65ecf075cf4cea9ff54e270249dd16dba7c5308bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ae06a53-eb52-4dc3-8894-30e344e2e855.vbs

Filesize
761B

MD5
ce812671625bb89d039891022807c1ea

SHA1
ae085fcf5534b677498228c3931a88eb925b058a

SHA256
af61d49f297108eca4329f3657df576b33f518ea45b065463f7051e8554ca30f

SHA512
778f286cf97a1bf287400a471a1b03bdc1d5b5f556ac1ea05e6e10a629a6f8535b832134265eb44cb0d0b53b68acaefd0481645ae0cf8831fd8ece1e89df822e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c229b51-3e8c-4e44-9983-eca5be7eeefb.vbs

Filesize
761B

MD5
ec597376555173989aed484aa9991395

SHA1
7e4113a0c19d9063d585b96d6045c9c34236029b

SHA256
0f0d452c2e3c3bdf67f43a9952e11c6bdbf8cb37361d4768802aa6e7e21a653a

SHA512
5a51665180b328418a384d7ef1fc3e1b089edb3b009bfd7e4b37417047551404336ae33be24223d23ea5a3d208291010ea749e6d05af1b5a603b21b8cad62262

Download Submit
C:\Users\Admin\AppData\Local\Temp\446d4407-be94-42f8-9888-a36a1ba7eb0c.vbs

Filesize
761B

MD5
9362ba8b6ca01a90bba8a4f23720be00

SHA1
f675414bca990c6637d6788e63155a5c2201afa6

SHA256
ca06209147c2c73d6b12dcf3482b3d822f090105d8198a53abacad316154d984

SHA512
6ec448c83257e62316cec5470810f3645688de65311a109e577d14fb9758f7c56255b94eea86fb13487e3b623c3801318897e2b3c11a63f79cc8f05a62424155

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ebe9d01-bf2c-400a-9877-79f6b0096bac.vbs

Filesize
761B

MD5
2c5faf7a0ecff0c6ecf598d394f7c86f

SHA1
cc1e01736b9ec6a5199a5190ec63b768014bda53

SHA256
463c9c9abb67f9c7a346c6ecfa140cb6c780f7623d3bc36b49c3fb7d3e12bcee

SHA512
764b766bfdeb3dd77961a6bbdf65d1e40c1983b3bef9e4d00bd469b70b3a0233d19ec0818c76d3ab23b3360421bab6076358cf446eced3f5fdb8b972d5eff346

Download Submit
C:\Users\Admin\AppData\Local\Temp\58c20937-b294-4123-b9f0-acbb03645f19.vbs

Filesize
761B

MD5
fa5f4a82fee744cccac1c02a6d70f3d8

SHA1
1fd224df45d20d4eda776ed74faf54419d565831

SHA256
27320892fca62fff099c4937af6d5225e178fd41f117e263b9bfc0fc710fc2ae

SHA512
5b08c7798e38398970f2d3fca13a3da28e48bb6a456f60d27fc86013a59a20b8a2e799268ddd934a7d80876e34b5813592ddc56b27a768c6c0192fe97474908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6da14287-9bd5-41d2-bd38-25c1ca79b429.vbs

Filesize
537B

MD5
16f41e60343fef1c2dca0754297ee85d

SHA1
f39ed10dfdef86d5754d0c0028d724f7a97d1b88

SHA256
1571598a9ffce1e40bd6ec312ab9de7cd2ae2af065dad0901a5f086ddd391066

SHA512
5b4381d7c5431704c7aa62ad7dad0d8cba31a7d13753c2357e5678a9ba05347ebcf30fac54ecb9c89678b150a66654fa8912d382d82e7dfec8a889586aadf9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b16e595-09cf-45a1-9b03-04ce94a4c20a.vbs

Filesize
761B

MD5
eb453eda4c3857d9f178b769a049d5ac

SHA1
799db7ef158ed9ce413650dd45bc69ee600c663b

SHA256
9b78f299a066b2c503df9b4be764311e85411056e43a36f0b6577329a4236648

SHA512
aaefb3e73954e8fcdd4baa69aeb063a28ede9c6fd2f12f5c0df790539e48769b04be6f812cba48247894d844d5626113233ace16d99106d8b9b5794aea4e4e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\96595ecb-6d39-41b1-b5b1-128ac6c646f9.vbs

Filesize
761B

MD5
1473123f1f90a93f8d1992e2e11dafc7

SHA1
53a8f5d470bbef1d92f8e89e93c0143070fd5fed

SHA256
bac72431a324caa0c78c2c2076be6d95809716f21da748a567fa8dd9602645c7

SHA512
dfd58a2981aa7ca3ccd05b9ba06877bac3bd6e52e99adc1a58fd302ea919800d84022ec3f27577a24a61a6671027c5c54c4cc916a0b80c3e2e5e8eb75adbb489

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b7eee19-2e52-48cf-b608-fbaa09d3c425.vbs

Filesize
761B

MD5
83c482f4b2e53d380fec5e8c025e5636

SHA1
57b4b593894b578fae56d5f7764aa796d62d15b7

SHA256
baf415638771b14c73d5a45c485d431ea5d3b3ed249ca9809ea23fad85541694

SHA512
4fa4c350146bd1650571fccd48a5fdc5734124e77c7367d0d42b386ced243110b9d3d34b6d35ccf33421f01325c6ba793708f0119fbd8fc0d80ae4037ee0d4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e6a4b2-a9f7-44e2-9eb6-c6ddb15e8e6b.vbs

Filesize
761B

MD5
a5408d783a60dbd99bf4d38b12e28df9

SHA1
fc4e1a5c822eb39ca2fe64c68ee3009a698b1dc0

SHA256
76f13a4f9ecf609e271cee304bab1d3ad68b2c4d6c787f4b1077e06bbca5501d

SHA512
20db26f1a456c7bda2b7403fcf5ab478155f612fdc8c9d31c0142d4a7a087ce5e1848e0a1f60ff4c617edc69cb4be03b50434f9fefd9cf984785a6dbf77f82c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3deedcd-8b61-43e3-8d11-ad1908a5e3af.vbs

Filesize
761B

MD5
57fc666f748e77ecfb84836250310235

SHA1
0f53f5786df5fc66aa87b7c54effd9b39aa0d188

SHA256
169c6b125a6ce790b4220ac8d45dc501d95eee4028faa218313dac96e1370ae0

SHA512
8085116066e37fa857b3296bb55abca33a334ec62cd3227d3ace9b1efe3bd32769819d77e9d2640c081b1ccab1a190501ffad1524a4fa153a44ab728b9ed5c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbcf5e9b-8baa-49ca-9b5d-b3a5f4be984c.vbs

Filesize
761B

MD5
d9a8c1c8acdf49e04e939551b29ec2f5

SHA1
3494dc2e619f5f21a3711d05ffa685321d9c20d6

SHA256
6e92088775579224916c35f3413d9a71730d0293dcdaefe8cd54b4f0dffddd9f

SHA512
12ae7b08aacd82be3f7f19de5958ac2eee69cb22af7900ec8f5a9d69fb0d34de997248a257da148db5f92261805f3a461a7ab1aa0500cd9fcf99e9f436332305

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpkupkyryY.bat

Filesize
250B

MD5
e03267832b73284a130883cc4f7563a4

SHA1
76213a4254b2c4c1f74ec1e3ae725fec6db20950

SHA256
f9a3cd19422c92a74a3554423bfe0ba3a92569bbd600cb0e80d61317632422f5

SHA512
0aec2ac2a6cb0d287b576b49da83f35427ad11bf949622f0e5f1cee82d34a21ca628b861f5bdd4c0136ded41296050ab832d6b542197bae9925146153785f3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC88.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LTQUZKHKMPAOV8QS0ILE.temp

Filesize
7KB

MD5
f88b3ab0930c06d7779ee3ca9ec2c09e

SHA1
f43befa771d4f7f1238edeb7d3639a02aa8a415e

SHA256
b8796bfd7a736c3103241e4e6bf83721b7b7f8f58eb935a782993ff48d51c15b

SHA512
5809124fbabf1d03466a051b26303afa540cee10ba8904a866d479bd4ee3cfb720ba6ba11b9985788a805d89dbf8cba0eaa2e98711d642960f550411a6526867

Download Submit
memory/1832-242-0x0000000001030000-0x0000000001524000-memory.dmp

Filesize
5.0MB

Download
memory/1832-169-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/1848-120-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1848-121-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2160-332-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2160-333-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/2176-273-0x0000000001270000-0x0000000001764000-memory.dmp

Filesize
5.0MB

Download
memory/2328-12-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/2328-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2328-1-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download
memory/2328-97-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-14-0x0000000000860000-0x0000000000868000-memory.dmp

Filesize
32KB

Download
memory/2328-16-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/2328-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-15-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2328-13-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2328-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2328-3-0x000000001ADB0000-0x000000001AEDE000-memory.dmp

Filesize
1.2MB

Download
memory/2328-11-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/2328-10-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2328-4-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/2328-317-0x0000000000130000-0x0000000000624000-memory.dmp

Filesize
5.0MB

Download
memory/2328-9-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2328-8-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2328-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2328-5-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2752-184-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/2756-288-0x0000000000230000-0x0000000000724000-memory.dmp

Filesize
5.0MB

Download
memory/2784-258-0x00000000008A0000-0x00000000008B2000-memory.dmp

Filesize
72KB

Download
memory/2784-257-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2932-155-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2932-154-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/3020-227-0x00000000003B0000-0x00000000008A4000-memory.dmp

Filesize
5.0MB

Download