dcrat | 47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Size

4.9MB
MD5

85e850e508f7ac2537dd1c1b339fff30
SHA1

853d293cce6570de06ad7d230e612577ac9a2b40
SHA256

47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2
SHA512

184da3afd07c90c10f3211614fd74c35c79f13bff9928f9cca8b6d6ebd4ce587ea03a83e1157f02b28b4f2fb9d30f6ed5d93adcb9de889b81a79d75af7ba8154
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2864	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2636-3-0x000000001B9A0000-0x000000001BACE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1524	powershell.exe
712	powershell.exe
2076	powershell.exe
492	powershell.exe
2608	powershell.exe
2476	powershell.exe
756	powershell.exe
344	powershell.exe
552	powershell.exe
2480	powershell.exe
1340	powershell.exe
1436	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2508	dwm.exe
676	dwm.exe
2912	dwm.exe
1572	dwm.exe
2808	dwm.exe
2028	dwm.exe
2036	dwm.exe
2960	dwm.exe
2944	dwm.exe
2856	dwm.exe
2852	dwm.exe
1652	dwm.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\WCN\en-US\taskhost.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File created	C:\Windows\System32\WCN\en-US\b75386f1303e64	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Windows\System32\WCN\en-US\RCX6AEB.tmp	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Windows\System32\WCN\en-US\taskhost.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\WmiPrvSE.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File created	C:\Program Files (x86)\MSBuild\24dbde2999530e	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCX6CEF.tmp	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\dwm.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX6F60.tmp	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\WmiPrvSE.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\dwm.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\6cb0b6c459d5d3	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\f3b6ecef712a24	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Windows\Tasks\RCX66E4.tmp	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File opened for modification	C:\Windows\Tasks\spoolsv.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
File created	C:\Windows\Tasks\spoolsv.exe	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2164	schtasks.exe
576	schtasks.exe
2884	schtasks.exe
2232	schtasks.exe
2724	schtasks.exe
1736	schtasks.exe
1676	schtasks.exe
3004	schtasks.exe
692	schtasks.exe
2220	schtasks.exe
2436	schtasks.exe
2840	schtasks.exe
2144	schtasks.exe
1044	schtasks.exe
2112	schtasks.exe
2324	schtasks.exe
2732	schtasks.exe
1944	schtasks.exe
2028	schtasks.exe
1768	schtasks.exe
2184	schtasks.exe
1964	schtasks.exe
1716	schtasks.exe
2824	schtasks.exe
2548	schtasks.exe
2516	schtasks.exe
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
552	powershell.exe
756	powershell.exe
2480	powershell.exe
2476	powershell.exe
712	powershell.exe
1340	powershell.exe
2608	powershell.exe
492	powershell.exe
2076	powershell.exe
344	powershell.exe
1436	powershell.exe
1524	powershell.exe
2508	dwm.exe
676	dwm.exe
2912	dwm.exe
1572	dwm.exe
2808	dwm.exe
2028	dwm.exe
2036	dwm.exe
2960	dwm.exe
2944	dwm.exe
2856	dwm.exe
2852	dwm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2508	dwm.exe
Token: SeDebugPrivilege	676	dwm.exe
Token: SeDebugPrivilege	2912	dwm.exe
Token: SeDebugPrivilege	1572	dwm.exe
Token: SeDebugPrivilege	2808	dwm.exe
Token: SeDebugPrivilege	2028	dwm.exe
Token: SeDebugPrivilege	2036	dwm.exe
Token: SeDebugPrivilege	2960	dwm.exe
Token: SeDebugPrivilege	2944	dwm.exe
Token: SeDebugPrivilege	2856	dwm.exe
Token: SeDebugPrivilege	2852	dwm.exe
Token: SeDebugPrivilege	1652	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1524	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	58
PID 2636 wrote to memory of 1524	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	58
PID 2636 wrote to memory of 1524	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	58
PID 2636 wrote to memory of 756	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	59
PID 2636 wrote to memory of 756	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	59
PID 2636 wrote to memory of 756	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	59
PID 2636 wrote to memory of 712	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	60
PID 2636 wrote to memory of 712	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	60
PID 2636 wrote to memory of 712	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	60
PID 2636 wrote to memory of 344	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	61
PID 2636 wrote to memory of 344	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	61
PID 2636 wrote to memory of 344	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	61
PID 2636 wrote to memory of 2076	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	62
PID 2636 wrote to memory of 2076	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	62
PID 2636 wrote to memory of 2076	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	62
PID 2636 wrote to memory of 552	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	63
PID 2636 wrote to memory of 552	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	63
PID 2636 wrote to memory of 552	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	63
PID 2636 wrote to memory of 2480	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	64
PID 2636 wrote to memory of 2480	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	64
PID 2636 wrote to memory of 2480	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	64
PID 2636 wrote to memory of 492	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	65
PID 2636 wrote to memory of 492	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	65
PID 2636 wrote to memory of 492	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	65
PID 2636 wrote to memory of 1340	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	66
PID 2636 wrote to memory of 1340	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	66
PID 2636 wrote to memory of 1340	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	66
PID 2636 wrote to memory of 1436	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	67
PID 2636 wrote to memory of 1436	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	67
PID 2636 wrote to memory of 1436	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	67
PID 2636 wrote to memory of 2608	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	69
PID 2636 wrote to memory of 2608	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	69
PID 2636 wrote to memory of 2608	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	69
PID 2636 wrote to memory of 2476	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	70
PID 2636 wrote to memory of 2476	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	70
PID 2636 wrote to memory of 2476	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	70
PID 2636 wrote to memory of 2508	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	82
PID 2636 wrote to memory of 2508	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	82
PID 2636 wrote to memory of 2508	2636	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe	82
PID 2508 wrote to memory of 1720	2508	dwm.exe	83
PID 2508 wrote to memory of 1720	2508	dwm.exe	83
PID 2508 wrote to memory of 1720	2508	dwm.exe	83
PID 2508 wrote to memory of 2704	2508	dwm.exe	84
PID 2508 wrote to memory of 2704	2508	dwm.exe	84
PID 2508 wrote to memory of 2704	2508	dwm.exe	84
PID 1720 wrote to memory of 676	1720	WScript.exe	85
PID 1720 wrote to memory of 676	1720	WScript.exe	85
PID 1720 wrote to memory of 676	1720	WScript.exe	85
PID 676 wrote to memory of 2176	676	dwm.exe	86
PID 676 wrote to memory of 2176	676	dwm.exe	86
PID 676 wrote to memory of 2176	676	dwm.exe	86
PID 676 wrote to memory of 2352	676	dwm.exe	87
PID 676 wrote to memory of 2352	676	dwm.exe	87
PID 676 wrote to memory of 2352	676	dwm.exe	87
PID 2176 wrote to memory of 2912	2176	WScript.exe	88
PID 2176 wrote to memory of 2912	2176	WScript.exe	88
PID 2176 wrote to memory of 2912	2176	WScript.exe	88
PID 2912 wrote to memory of 2752	2912	dwm.exe	89
PID 2912 wrote to memory of 2752	2912	dwm.exe	89
PID 2912 wrote to memory of 2752	2912	dwm.exe	89
PID 2912 wrote to memory of 2184	2912	dwm.exe	90
PID 2912 wrote to memory of 2184	2912	dwm.exe	90
PID 2912 wrote to memory of 2184	2912	dwm.exe	90
PID 2752 wrote to memory of 1572	2752	WScript.exe	91

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe
"C:\Users\Admin\AppData\Local\Temp\47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Program Files\VideoLAN\VLC\locale\dwm.exe
  "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2508
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f374764c-8ca2-4037-8a1f-5d6aab29c1e0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Program Files\VideoLAN\VLC\locale\dwm.exe
      "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:676
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\639e17d6-e215-4bc9-a00c-4d1ed862fd31.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6126ebcf-cdee-4165-8a0a-c30c3b68604a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4b04bc3-a5b1-4b02-a8f3-6f99e55fab0e.vbs"
        9⤵
        
        PID:3000
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53ea85a-f225-4958-aebe-4642cd0bedd8.vbs"
        11⤵
        
        PID:2068
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46399595-fa58-48e8-a081-e0274739e580.vbs"
        13⤵
        
        PID:2640
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab90101-f43f-4694-a0a2-a258baf634b2.vbs"
        15⤵
        
        PID:2816
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a4789d-a072-417e-8e6d-a18fff5ea0b9.vbs"
        17⤵
        
        PID:1412
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2330817e-375e-443a-997b-1d8924b572bf.vbs"
        19⤵
        
        PID:2088
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375705b7-6f2b-4058-acf9-001c1d0e403f.vbs"
        21⤵
        
        PID:2616
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd349edc-3994-48e6-91c6-c208223d0e39.vbs"
        23⤵
        
        PID:2084
        
        C:\Program Files\VideoLAN\VLC\locale\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\dwm.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0030a193-006e-4641-8b18-c6492b89b33c.vbs"
        23⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1044d90c-1666-4d9f-b13e-4d6b11a1b37b.vbs"
        21⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e802d2f6-7e98-4671-b34b-2872d877781c.vbs"
        19⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991d3f67-b842-4279-bb7c-a017a6c25570.vbs"
        17⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dd14a4f-8d57-46d1-83a8-26a1ae9dbcde.vbs"
        15⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b96159-138c-4fa9-b4e6-bea0b928089d.vbs"
        13⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79230838-98c2-47bb-ad9c-41a988cc37df.vbs"
        11⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9c3f2ad-a986-423b-a9b6-5e860e621216.vbs"
        9⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97bf4c4b-aa2c-42a5-b65c-2aa8410fcb5f.vbs"
        7⤵
        
        PID:2184
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f1946d2-6fd0-49e7-b7c6-cf43f9639632.vbs"
        5⤵
        
        PID:2352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cea17ce-fbbc-4fc6-8aec-6e4216272688.vbs"
    3⤵
    PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\WCN\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\locale\dwm.exe

Filesize
4.9MB

MD5
ccaafe08672d7867b8bf3866571e445e

SHA1
5b7bb3773cb2dc15bb534476aee83ffeadb59d15

SHA256
388a8f388fbb0fd26b018f42db2f546e250019037b781334bb636352b6851ac7

SHA512
cbc3a34bdf60b602465ef92508e8364391e6e65c3bf030d8f9194d22e4a3a345f442aa6f4f3b3ef1d3203374c0dcb10e6066eaa8fbb69995259949c8004cefce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2330817e-375e-443a-997b-1d8924b572bf.vbs

Filesize
720B

MD5
5e82c9f743011c77acf7f95fdd65cb04

SHA1
33213e82b333d758ece6c4ae288b79f7bbaeeda7

SHA256
70e5549caf49fd3df8c15c990b6b3d5efebd8384c7c87f8e2a21980cd91abf53

SHA512
a3efec34057c96b555ad74212d9553d771798be4c83d2894571d589da12a88a8ef4852860ff98af4695bcc8d4e3bf9a7a15469bfd71865fbbbca91d2985291ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\375705b7-6f2b-4058-acf9-001c1d0e403f.vbs

Filesize
720B

MD5
554b5ec939ed604910e1b4283a588ca2

SHA1
399e6fd4c08ce4b8602a745d5319e523f8143d77

SHA256
9ebc0e23212e0bd57538b41eaf8ce86ba62c6cc0c8a10befc93f7595b322fbe9

SHA512
b1a6aa888201a90da9b00642b809413bb934255d1c93b6e2e8c29e447c1c516cfc425adb276ff4a6c6badf7e728b1a0cb536aec23009ea431467416574037fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\46399595-fa58-48e8-a081-e0274739e580.vbs

Filesize
720B

MD5
1891ac6ac2ce8d480efda699bfb50aba

SHA1
f16bd0bfb59bd75fb1f8ef8a7ac375a611466779

SHA256
946d93c28bf77a1662ef424fe49f95a907dfbad6762f26e7857b2ea521705cf3

SHA512
29d785f1a3d1e37400894a77bad5f50cd83fbafb49ecda9cc5ade55f384c058f7be42f0ae2c7a26c84d9b06eb482db93a085660f66c7c8c90bbf4fdce7bafc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cea17ce-fbbc-4fc6-8aec-6e4216272688.vbs

Filesize
496B

MD5
1e780536261da8e2ae942d6cdf29b4bd

SHA1
c24f6fb409b4788749031a5c31716d2c6c3f8ad4

SHA256
248479841c910d514d543d96c97b3e2b97158b0b89a133663fef189f552046c5

SHA512
cb8d7403d88180e5cb5628fd5c5d2b8ca42d0554d6af7190f6f79821c4e4815f397838b53de773a5665519ddb2675267a7fbc0f27861817d10213f74e21ad327

Download Submit
C:\Users\Admin\AppData\Local\Temp\6126ebcf-cdee-4165-8a0a-c30c3b68604a.vbs

Filesize
720B

MD5
58ed738563e28e1de723f60933dc5d35

SHA1
107189362968561782ff2f1462bec12139cd971a

SHA256
7b016dacd0d68caff032a640d0fbfa58e8294917e0cb536bc9d015252c7b87be

SHA512
1288f1ebd27c29d2f925dc89426b2b7cd7f3b9557a821c9f2e1119d9f099156726714815ee97be6ad5ca983872a5f3f0a3176557ba9e3b0812be4e6e508d7623

Download Submit
C:\Users\Admin\AppData\Local\Temp\639e17d6-e215-4bc9-a00c-4d1ed862fd31.vbs

Filesize
719B

MD5
30ca3953f0dcaea6fb1485c0f2513c80

SHA1
4a297b5b465fc0c3629dc0c01226a14b9788a09c

SHA256
85c7d6500e6b1147bf8e32d617444d99dbdd20aecc3e5460444cd645331e9f3b

SHA512
1ede3c7aad43bfd1a90d738ad8104527a5f86bf983809a8a1631f345aa7323b1ac8dc70703cacf5a856224bdcf78bf276b8f839f0dae6e23bf432362b17135c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a53ea85a-f225-4958-aebe-4642cd0bedd8.vbs

Filesize
720B

MD5
a76673a0544a5f097bfc92d9cf4f84d2

SHA1
51d9e253d67fe24e5e0a264d907bf1a9a83738bd

SHA256
702d2ae880406c0dea401b4578d379e10a50b12a00dc08dcd44a73d727d2eb98

SHA512
4c3de864a99423592adf7137068d817475882734f102f409a58a4486c95c2a5a73e214840971ba0babe19dc77df5ec0259fe1c2785edfb0d5e1ce56a53a14c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4b04bc3-a5b1-4b02-a8f3-6f99e55fab0e.vbs

Filesize
720B

MD5
c5c198d7d88f0e0cbc32f1070c690767

SHA1
b3c8a4e848356f55915e766381547ee385e70ad9

SHA256
665ea80871262f3e6a6eaa656971de68f2fcef7c12ad064758c4cec75e2191eb

SHA512
f48f80a251c2d47924384e3caa117a9ca086f8df3b9b07b45446f40fad371a6c6fced1b28e551c40bd6e4a0b5d74a6e63502093e5bae62989923393dbdbf3adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0a4789d-a072-417e-8e6d-a18fff5ea0b9.vbs

Filesize
720B

MD5
7f00082dbefe84207b2425960fc90656

SHA1
b957e28d25ee23a87f4e89247d6f5798c4cfade8

SHA256
53782b59ded2b837736c9c6807c890130cd37c6d2289b1fff001df6543e8c771

SHA512
5c8247d0c14beb8999fa89084bc595ec62b94d5de3a58e32e44ec6bbd8e84a45898a555c384ffc12c168f8b06eef825f02098063fa5f9ea2c5947d4c4a03b0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dab90101-f43f-4694-a0a2-a258baf634b2.vbs

Filesize
720B

MD5
e948bcbba07712d11331a10341734e5a

SHA1
9f5641c9c39a27890dde9e768e9965558670e647

SHA256
00769f04bdca38c15117481784286d749c731d175a0ab017d27bc6332c904707

SHA512
889c1fd1b38cc3624baaf0c2aa7efc488bd507156aa46ebfd3efb2880a38a20c70ca6f61625df2869166f81b7d23863b1d8eb83025a3ae7d317df95899a260dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f374764c-8ca2-4037-8a1f-5d6aab29c1e0.vbs

Filesize
720B

MD5
47cfdfbf67b37d1c5fca173ebc0fcbbe

SHA1
0b558be1f428fad2f2058f1da7e2d77ba481ef92

SHA256
7d6a0b4c4f8b12b49253cc1df20281b8305e1f3056973f989a39be0c20617234

SHA512
c6b17fa9e3e13284fd0a7ee02c753b7ddc7b2f0fcf060403e20b80c46bfe71eacdc3105b827920853fc27176981d08cef2eed0874079fff3f2a064fa0cb2affb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd349edc-3994-48e6-91c6-c208223d0e39.vbs

Filesize
720B

MD5
96ca19deeb01630c8497198593f0d74c

SHA1
0bd0606fc66d414ddfd14aac4d04f79a134f635a

SHA256
61c1234f6eb09a46bcf9523304b53979c92dec78e90e871ba637e91245f4be41

SHA512
0a7522ed3a808af222d4691e63b3acf2c7ebe9a8a4aa390105afee205abb37b84a213892248b977e907e31e901b6bb0eec967c35defe55d6328416fcc52b9657

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
db148cb327d69ab01174df5499570531

SHA1
721c5e6e35b62171d9893b0cec4c7fa720682eee

SHA256
587ba2edd8a6f59e617140b4a7e49f3ef069da25f92ec533b9a7515af20c37dd

SHA512
8b5dcdc628eddbf6e5923523439722433d163afa04a1351bc2a4cd2e19f149cc245a2121faa972a7f655ef13cf88289bf4fd6f38037ac8da37ba25f0b0d75ef3

Download Submit
C:\Windows\Tasks\spoolsv.exe

Filesize
4.9MB

MD5
85e850e508f7ac2537dd1c1b339fff30

SHA1
853d293cce6570de06ad7d230e612577ac9a2b40

SHA256
47c077d4fa07303d13d9677abc3d2a713dded563f773056c6a62f1107f1c20a2

SHA512
184da3afd07c90c10f3211614fd74c35c79f13bff9928f9cca8b6d6ebd4ce587ea03a83e1157f02b28b4f2fb9d30f6ed5d93adcb9de889b81a79d75af7ba8154

Download Submit
memory/552-113-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/756-114-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1652-326-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/2036-253-0x0000000001180000-0x0000000001674000-memory.dmp

Filesize
5.0MB

Download
memory/2508-163-0x0000000001020000-0x0000000001514000-memory.dmp

Filesize
5.0MB

Download
memory/2636-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2636-7-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/2636-169-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-13-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/2636-11-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2636-12-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2636-10-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2636-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/2636-8-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2636-14-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2636-6-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2636-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

Filesize
4KB

Download
memory/2636-5-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2636-4-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2636-15-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2636-3-0x000000001B9A0000-0x000000001BACE000-memory.dmp

Filesize
1.2MB

Download
memory/2636-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-1-0x0000000000E80000-0x0000000001374000-memory.dmp

Filesize
5.0MB

Download
memory/2852-311-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/2944-282-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download