dcrat | 4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Size

4.9MB
MD5

85ab5c50c78b5db54a69d9f85c8d07ff
SHA1

112a5c1bf9a479baf32c8196ba4b1bc24b27541e
SHA256

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21
SHA512

2978fdea829a99e828bff671748a346e075ed4fb597127dba6f99bd23704d740d8d776afe530bbd544d42bf71dbcf328a66dbcd55f48dd25ee2a9cb46878eaa4
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2876	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2876	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/880-2-0x000000001B720000-0x000000001B84E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
980	powershell.exe
264	powershell.exe
1508	powershell.exe
2644	powershell.exe
1976	powershell.exe
3004	powershell.exe
2884	powershell.exe
1984	powershell.exe
1616	powershell.exe
2532	powershell.exe
2604	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2456	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1756	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2984	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2800	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2028	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2752	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
3000	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1916	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1604	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\dwm.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\VideoLAN\VLC\6cb0b6c459d5d3	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX7828.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Windows Journal\fr-FR\6cb0b6c459d5d3	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\VideoLAN\VLC\dwm.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\lsass.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\dwm.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCX7CAC.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Windows Sidebar\en-US\6203df4a6bafc7	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\55fc0a0416916c	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX73B3.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Windows Journal\fr-FR\dwm.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCX7A2B.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX8140.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Windows Sidebar\en-US\lsass.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe
1860	schtasks.exe
2588	schtasks.exe
2272	schtasks.exe
1228	schtasks.exe
2316	schtasks.exe
2152	schtasks.exe
996	schtasks.exe
2544	schtasks.exe
1508	schtasks.exe
1160	schtasks.exe
2080	schtasks.exe
1348	schtasks.exe
1344	schtasks.exe
2244	schtasks.exe
1944	schtasks.exe
1148	schtasks.exe
2160	schtasks.exe
2864	schtasks.exe
1732	schtasks.exe
2032	schtasks.exe
2592	schtasks.exe
2264	schtasks.exe
2896	schtasks.exe
2408	schtasks.exe
2368	schtasks.exe
916	schtasks.exe
2400	schtasks.exe
2916	schtasks.exe
1712	schtasks.exe
2992	schtasks.exe
2952	schtasks.exe
2392	schtasks.exe
2376	schtasks.exe
1776	schtasks.exe
856	schtasks.exe
1000	schtasks.exe
448	schtasks.exe
1656	schtasks.exe
2028	schtasks.exe
664	schtasks.exe
2436	schtasks.exe
1752	schtasks.exe
3024	schtasks.exe
2532	schtasks.exe
2356	schtasks.exe
1232	schtasks.exe
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2884	powershell.exe
1976	powershell.exe
1508	powershell.exe
1616	powershell.exe
2644	powershell.exe
1984	powershell.exe
980	powershell.exe
2824	powershell.exe
3004	powershell.exe
2604	powershell.exe
2532	powershell.exe
264	powershell.exe
2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2456	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1756	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2984	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2800	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2028	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2752	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
3000	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1916	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1604	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	2456	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	1756	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	2984	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	2800	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	2028	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	2752	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	3000	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	1916	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	1604	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1508	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	79
PID 880 wrote to memory of 1508	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	79
PID 880 wrote to memory of 1508	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	79
PID 880 wrote to memory of 2644	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	80
PID 880 wrote to memory of 2644	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	80
PID 880 wrote to memory of 2644	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	80
PID 880 wrote to memory of 1616	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	81
PID 880 wrote to memory of 1616	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	81
PID 880 wrote to memory of 1616	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	81
PID 880 wrote to memory of 1984	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	83
PID 880 wrote to memory of 1984	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	83
PID 880 wrote to memory of 1984	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	83
PID 880 wrote to memory of 2824	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	85
PID 880 wrote to memory of 2824	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	85
PID 880 wrote to memory of 2824	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	85
PID 880 wrote to memory of 2532	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	86
PID 880 wrote to memory of 2532	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	86
PID 880 wrote to memory of 2532	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	86
PID 880 wrote to memory of 980	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	87
PID 880 wrote to memory of 980	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	87
PID 880 wrote to memory of 980	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	87
PID 880 wrote to memory of 2884	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	88
PID 880 wrote to memory of 2884	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	88
PID 880 wrote to memory of 2884	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	88
PID 880 wrote to memory of 264	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	89
PID 880 wrote to memory of 264	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	89
PID 880 wrote to memory of 264	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	89
PID 880 wrote to memory of 2604	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	90
PID 880 wrote to memory of 2604	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	90
PID 880 wrote to memory of 2604	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	90
PID 880 wrote to memory of 3004	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	91
PID 880 wrote to memory of 3004	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	91
PID 880 wrote to memory of 3004	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	91
PID 880 wrote to memory of 1976	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	92
PID 880 wrote to memory of 1976	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	92
PID 880 wrote to memory of 1976	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	92
PID 880 wrote to memory of 2156	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	103
PID 880 wrote to memory of 2156	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	103
PID 880 wrote to memory of 2156	880	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	103
PID 2156 wrote to memory of 1860	2156	cmd.exe	105
PID 2156 wrote to memory of 1860	2156	cmd.exe	105
PID 2156 wrote to memory of 1860	2156	cmd.exe	105
PID 2156 wrote to memory of 2068	2156	cmd.exe	106
PID 2156 wrote to memory of 2068	2156	cmd.exe	106
PID 2156 wrote to memory of 2068	2156	cmd.exe	106
PID 2068 wrote to memory of 2940	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	107
PID 2068 wrote to memory of 2940	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	107
PID 2068 wrote to memory of 2940	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	107
PID 2068 wrote to memory of 3012	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	108
PID 2068 wrote to memory of 3012	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	108
PID 2068 wrote to memory of 3012	2068	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	108
PID 2940 wrote to memory of 448	2940	WScript.exe	109
PID 2940 wrote to memory of 448	2940	WScript.exe	109
PID 2940 wrote to memory of 448	2940	WScript.exe	109
PID 448 wrote to memory of 1672	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	110
PID 448 wrote to memory of 1672	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	110
PID 448 wrote to memory of 1672	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	110
PID 448 wrote to memory of 1384	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	111
PID 448 wrote to memory of 1384	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	111
PID 448 wrote to memory of 1384	448	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	111
PID 1672 wrote to memory of 2456	1672	WScript.exe	112
PID 1672 wrote to memory of 2456	1672	WScript.exe	112
PID 1672 wrote to memory of 2456	1672	WScript.exe	112
PID 2456 wrote to memory of 1616	2456	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	113

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
"C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dtS9HYizD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
    "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2068
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d04f39-6e8b-4ea4-9431-ac5a90ba354e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\264b5f42-acde-4dee-88b9-495e942ce25b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22c5e30-1c75-456a-a5e2-55e55e6ca51e.vbs"
        8⤵
        
        PID:1616
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d71934ab-fc0f-40e7-be56-d7c21e265e0e.vbs"
        10⤵
        
        PID:2824
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06c62ea4-e16a-4194-abb9-035c96e637d4.vbs"
        12⤵
        
        PID:992
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59f106b3-3f72-4f1a-9c34-5aba7bd13762.vbs"
        14⤵
        
        PID:2336
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbe1bf6c-d7c3-48e9-a155-8a021c2eb205.vbs"
        16⤵
        
        PID:604
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285219b0-3b6b-4681-8aee-976184b534a2.vbs"
        18⤵
        
        PID:2692
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b76d93a5-1e49-4f62-8141-437fe0ef38ac.vbs"
        20⤵
        
        PID:2688
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9318125a-ac96-4d35-8bc5-cb06c2a24226.vbs"
        22⤵
        
        PID:932
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41f7219b-4b3b-4e17-8762-7c0359d42166.vbs"
        24⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e0396ff-faae-40cc-9d65-1e2fdb46107c.vbs"
        24⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33948235-7cd4-4f69-a4f8-b63a9aa7d810.vbs"
        22⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7df72249-3866-4bf3-961b-bc4dedff8c0f.vbs"
        20⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bfbc6cf-378a-4e98-b487-3bf505c12e77.vbs"
        18⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b54c7ab-a4be-4f97-a5f9-403bfef29bd2.vbs"
        16⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22539ebd-b099-404a-ac58-bf5d431bd617.vbs"
        14⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47751cde-e8ad-45be-88a8-ce35ad623ab6.vbs"
        12⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\684ad3e6-1dda-4998-a4fc-7f400cb22873.vbs"
        10⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be98d2d6-d97b-4a63-91eb-f537dcf7274d.vbs"
        8⤵
        
        PID:536
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a6d7f59-214e-46dc-99d4-7c0256d9def4.vbs"
        6⤵
        
        PID:1384
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16f5fd5f-d9b0-4d75-8946-dcd1cbed2c82.vbs"
      4⤵
      PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Filesize
4.9MB

MD5
6fbe7510fca282f4470eab1eeccfa198

SHA1
f88db9af14e57e0334b8ad5dd27686229be09274

SHA256
0cbbe565ec7d0994aed29117e0467820895f223e0c1c4e068bd62800f1931081

SHA512
283e9ee0397f36194afc225dc6d1f1197ca86f7d5e05732d7588d90bbc15e0d86fd873bcf99e3d80a3b1ecd410c634f0902c991cc8a536f4384cf335942b8f5c

Download Submit
C:\Program Files\Windows Journal\fr-FR\dwm.exe

Filesize
4.9MB

MD5
ca583579e0153cc399d3fad4fb3d5fa9

SHA1
f76891a484bd35b9ae3a37bd620fe5b50754dbb1

SHA256
48c3a65b54c12d4baef948ca0ecca51ded348385af535674947137401bb7304f

SHA512
50501c7876bcb4863a456e7e2e695d95e6322068fb5651bd1c27259bfc47553a84ffac2744f9f589ad424cf4462f61069f838052d6ea61dc0375a5ce8cf0fc93

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe

Filesize
4.9MB

MD5
85ab5c50c78b5db54a69d9f85c8d07ff

SHA1
112a5c1bf9a479baf32c8196ba4b1bc24b27541e

SHA256
4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21

SHA512
2978fdea829a99e828bff671748a346e075ed4fb597127dba6f99bd23704d740d8d776afe530bbd544d42bf71dbcf328a66dbcd55f48dd25ee2a9cb46878eaa4

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe

Filesize
4.9MB

MD5
26930f8d145c2c1c0bdcad9993f2b9ce

SHA1
5083744db50d341e89235c6a086831916f41f611

SHA256
a011503465c846854a54c874607ce43019f67b0cc05e653a74a7af6d0904705c

SHA512
e85a343f59333b678b6d3c09254eb49fde0884603bf18f806b39d432d9179fefaa1b2e555afdfe42b486b56dae40c24f01a3435a0c373f4bf38fcb47fb86b32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\06c62ea4-e16a-4194-abb9-035c96e637d4.vbs

Filesize
815B

MD5
be8290b67f56c4c96dbf61a6772a0942

SHA1
76bc9a4b98c1b8d43969c0f30a1b627197b78a1b

SHA256
59207d7458ceb0118f8220b1709e2870ece7bf981957fda4524b37a7737093af

SHA512
86595321dfe03dbf38e0f95f77109778f14c4dfb1e2aab0dbff03915fa4fda55a2409fd0f6c6dac741e76b2ff961333aef72cf2b3ddd79fd293f0e8eb69e6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\16f5fd5f-d9b0-4d75-8946-dcd1cbed2c82.vbs

Filesize
591B

MD5
c1aeb6bb282fd91c4f7805e869e6e79f

SHA1
56acb659c4baa61c70e47b2538f8a1e7fb6c93f2

SHA256
48a8b289cc9ef0e63fb4bd7b44f78b476bf199c85d42983e13bdfc41a6b87d1c

SHA512
9d0828a9baf37062ba3a8e13a44e1f1978ed4e7d3d912e707fdbaf21ccf511aa39403a30a513cef1c1d88c14981ec85e59c3c9fee71369c17c54a92b466367f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\264b5f42-acde-4dee-88b9-495e942ce25b.vbs

Filesize
814B

MD5
bdf835c0385ffb0bb4d0633b7aba40bc

SHA1
5998d5e61436fd44e47c3a616366e73e57fe398e

SHA256
4f88ad0e4f822d11f1ea60560e890603efa4b9424fb338c9c0823ad50af6f07e

SHA512
81b749a1fa03789d1dd4264c241d47a20822d7c96b3ec09957b4a8c21bcf406e51bea23479f80449901ce0b797e761320d509514e1fe66ccb65439272177d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\285219b0-3b6b-4681-8aee-976184b534a2.vbs

Filesize
815B

MD5
688d59f9817790c5d90f66a834f745c8

SHA1
33de593085204db021984dc260386d29f552ae57

SHA256
631fd2482fb990d79d23e60db48dec92e406c7e4173a614adf8a3e77b4a2e617

SHA512
9cf7bd1add876c2a97f88a4c08d5be11cec54d47d0364f394aee69fe2b9168d76bd8ed92624dcb7926cfa4c731f5a183e84dfe6d18cc3f972fc203d589dedf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41f7219b-4b3b-4e17-8762-7c0359d42166.vbs

Filesize
815B

MD5
4a2622439ca47ade52aa24b754440b5b

SHA1
5a1f8c569007b2a2a8cbc221f06a51712e990249

SHA256
9b3d93ff0264134929a8e961d2aac29843a71141b831f8e40189caed00306b0b

SHA512
fbabe557cfbfcd6efdd4e23e7921984e517c5829a032a182d09bf5e0be32aaa8e640aed37940e6d3703efbc10f4fb473aa60bd4c7b7070b937f1580b5e4a345f

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f106b3-3f72-4f1a-9c34-5aba7bd13762.vbs

Filesize
815B

MD5
35793cdb2250271fa48a8823d5c09fc4

SHA1
d91989c9d652c05a8c62e47236c5b0704ccfaec7

SHA256
74669619e6bba99b328ec07b26975fd7e0cdc2440b3fe8e5f036b13c8680f222

SHA512
ffb8fe632ddbbfcebae168cfbaaa4c188158ab2d905e449133adcde2f306cbfdca3a5e9a79bb736913b5d54b64cb541e0777a8f249bd96edfcd4ad2086c1b0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9318125a-ac96-4d35-8bc5-cb06c2a24226.vbs

Filesize
815B

MD5
e361a489befea531dd98ceb1439beba4

SHA1
bc0af9bf9cc265c5e2e9268ff82bbc7dd8621e6a

SHA256
c6b08d46c5d8668060bb98d263fdf0c114c1a89268001331b7658d3a63a1d267

SHA512
49cfd4380e7d7d038397c7f85c479f2b3471b9328a42ad786c1b4de8f2faef5c9d93dcf4b7178c825d178a1d8fe1a305e8d6fc209a0c43dbc62ccbd98685734c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dtS9HYizD.bat

Filesize
304B

MD5
b39a0503c38ff3ab47cacd39c02d71a0

SHA1
1d7bf2b2ce086242cd5cd4d516cb5146002f0d0f

SHA256
4a15948f9f764f8a361ead53814afc87c7f1abea6fef68077d240d9d68cbbf86

SHA512
d57082caf70d9b8505124da2afca10d9c41672d22be0f15ccbbf6b42ece1654bf0bd546b195858c4b2cfd8c7f7392023cebe80da4636834866f3ad9392fb9a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d04f39-6e8b-4ea4-9431-ac5a90ba354e.vbs

Filesize
815B

MD5
2475bc2ebcbfd860c3e2563ec8c82319

SHA1
e35a663c7647cec9db74da265bbc8bb6e5d3244c

SHA256
bbd1014feca41d02c35cb3a856bf1b5e70a6455584e94ce178042f6be2e9ce61

SHA512
90845659f650e1b342ffab36868e0a2f6a6eed6a7beff768eec7f476ef8d382b030ebfc323c5c6d09e272feebcb518acece70daeb636f8591fe36529a8c323bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\b76d93a5-1e49-4f62-8141-437fe0ef38ac.vbs

Filesize
815B

MD5
a9e8a34ae7a37c764fa2b92915a96487

SHA1
10e224fb6f838d47eca8cdc6f66c3a37cbe3a7a9

SHA256
050e9565328d634e1fac061246f91f45065c5007c42b90fa16d66e4a2623d6a4

SHA512
4754c7eef4aec0a4e48544bef512d08b59c0e7764364a01dd926c358ee35f63435fc828612a8177ca6821ef5e3d3ef63a749ec34d76d22e6d2c51fa03c10e7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d22c5e30-1c75-456a-a5e2-55e55e6ca51e.vbs

Filesize
815B

MD5
3a45153f43f683ba20795b00a502e20a

SHA1
425b07d2d0ffdeb7c404be8e9522be3a7a51a293

SHA256
c6f96b2dc17cb8f44243155591cb048aadc2d4855458378a083a2c666ebc568b

SHA512
30fbda5f17514768e48ff58ab614d0734d642285b13945bafe4c22a5a2a5e34ed99592049c89bcf3a48dd9e514dea51a13f273d15e392fb9001772af4d9b388e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d71934ab-fc0f-40e7-be56-d7c21e265e0e.vbs

Filesize
815B

MD5
676b443147334f4e1bfa519c404f547a

SHA1
d681171936d20201d7e65a9d95a091415fc05189

SHA256
e74a54a02770d525374bd3d8843de91bdde148f13055c67370484b925e7daea7

SHA512
667e9347179b197102c3dc8791622a158a1dbe60654c8609f1073132c9ace1b56e56aaa1af8c4cbe5578b4854e1efb9831a95c123491b36a73519310fb8287e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbe1bf6c-d7c3-48e9-a155-8a021c2eb205.vbs

Filesize
815B

MD5
abde4efd4d49f28eb02c69c1f63ccf06

SHA1
d3e6101c451f6f2d36e42d38f316fd8a786486bc

SHA256
dccc18fb17996a60e36b08f4d1f8f57c5726ec58bf8f251e6370c4ca2fdfbe25

SHA512
e492cf38d59859af1e666dbd34165e96c14e8fb338e0b027cca231f5426b243ed9c6b4a8c595520ceaedd870174c4f78ab26aee0e0840fbea1f19b6d4b0e565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA87F.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ef5aeecb3d54484fc8437aca547117e

SHA1
e76a3a35bf4deb717357d2c53c4973b314599dc6

SHA256
98e985939851634aafc99cd24f211cdb432c4fdede196a89bf875d6d32af4162

SHA512
a7f2f054da25434052da8c2d450b38b3bdb75c602e5ecd9f271baf3258349eec3b9ef3a95ab0a94be2901dff3f186444eb638ecd11cf8bd855be382eb6b43b33

Download Submit
memory/448-234-0x0000000001140000-0x0000000001634000-memory.dmp

Filesize
5.0MB

Download
memory/880-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/880-5-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/880-172-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/880-136-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/880-1-0x0000000000D90000-0x0000000001284000-memory.dmp

Filesize
5.0MB

Download
memory/880-2-0x000000001B720000-0x000000001B84E000-memory.dmp

Filesize
1.2MB

Download
memory/880-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/880-15-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/880-3-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/880-4-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/880-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/880-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/880-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/880-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/880-10-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/880-9-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/880-151-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/880-8-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/880-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/880-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/1756-263-0x00000000001B0000-0x00000000006A4000-memory.dmp

Filesize
5.0MB

Download
memory/1916-355-0x0000000001090000-0x0000000001584000-memory.dmp

Filesize
5.0MB

Download
memory/2028-310-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2028-309-0x0000000000380000-0x0000000000874000-memory.dmp

Filesize
5.0MB

Download
memory/2068-219-0x0000000000D40000-0x0000000001234000-memory.dmp

Filesize
5.0MB

Download
memory/2068-220-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/2752-325-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/2800-293-0x0000000000D30000-0x0000000001224000-memory.dmp

Filesize
5.0MB

Download
memory/2800-294-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2884-175-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2884-173-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2984-278-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/3000-340-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download